First thing first, the question is not regarding how to use the Fingerprint scan API recently introduced in Android M. My question is what kind of a design approach should a developer follow to integrate the API on top of already existing security measures (password based/ federated etc.).
So I have an App in production which has an API which takes a username and password (over HTTPS) and generates an access token for the user. The access token is long lived and used to generate a much short lived Session token. User has to authenticate himself using this API and subsequent access to back-end services is authenticated with the session token generated.
Now with the advent of Fingerprint scan API, how do i handle user authentication. Remember I need to generate the session token at some point. So What kind of use case design do i follow ? Should it be like user has to login at least once after app installation with the username/password approach.on successful authentication the username and password is retained in persistence in an encrypted manner which in turn is protected by the Fingerprint authentication (this is like 2 level authentication if you consider it that way).
Any better suggestion from anyone who has come across similar use case in their app ?
Related question - Read somewhere, that the keystore stores the keys out of any specific app process. Is it possible for another app to read a key value if it somehow gets hold of the key alias i have used to save the key on the store ?