xamarin.androidx.biometric: _biometricsService.CanAuthenticate always returns false

Question

xamarin.androidx.biometric: _biometricsService.CanAuthenticate always returns false

Sreenivasan, Sreejith 125

Fingerprint authentication is working fine in my xamarin forms project using xamarin.androidx.biometric. Now I am migrating it to MAUI and I am getting false value for _biometricsService.CanAuthenticate.

Below is my IBiometricsService interface:


public interface IBiometricsService

{

    LocalAuthenticationType CanAuthenticationWith();

    void AuthenticateUser(Action<bool, string> OnAuthComplete);

    Task<bool> CanAuthenticate(bool devicePassword = false);

}

Android platform BiometricsService service adding below:


[assembly: Dependency(typeof(BiometricsService))]

namespace Project.Android.Services

{

    public class BiometricsService : IBiometricsService

    {

        private Context _context;

        private BiometricManager _biometricManager;

        public BiometricsService()

        {

            _context = Controls.Instance;

        }

        public async Task<bool> CanAuthenticate(bool devicePassword = false)

        {

            if (_context == null)

                return false;

            // Check for biometric permission — starting from Android 10 (API 29) permission is not required for BiometricManager

            // But for backward compatibility, we check

            if (Build.VERSION.SdkInt < BuildVersionCodes.Q)

            {

                var permissionResult = ContextCompat.CheckSelfPermission(_context, Manifest.Permission.UseFingerprint);

                if (permissionResult != Permission.Granted)

                    return false;

            }

            _biometricManager = BiometricManager.From(_context);

            var canAuthenticate = _biometricManager.CanAuthenticate(

                AndroidX.Biometric.BiometricManager.Authenticators.BiometricStrong

                | AndroidX.Biometric.BiometricManager.Authenticators.DeviceCredential);

            return canAuthenticate == AndroidX.Biometric.BiometricManager.BiometricSuccess;

        }

        public async void AuthenticateUser(Action<bool, string> OnAuthComplete)

        {

            var resp = await DependencyService.Get<IFingerprintAuth>().GetAuthenticateAsync("test");

            if (resp.isAutheticated)

            {

                OnAuthComplete?.Invoke(true, string.Empty);

            }

            else

            {

                OnAuthComplete?.Invoke(false, resp.ErrorMessage);

            }

        }

        public LocalAuthenticationType CanAuthenticationWith()

        {

            LocalAuthenticationType authType = LocalAuthenticationType.None;

            //var context = Android.App.Application.Context;

            var context = global::Android.App.Application.Context;

            if (global::Android.OS.Build.VERSION.SdkInt >= global::Android.OS.BuildVersionCodes.M)

            {

                var biometricManager = AndroidX.Biometric.BiometricManager.From(context);

                int canAuthenticate = biometricManager.CanAuthenticate(

                    AndroidX.Biometric.BiometricManager.Authenticators.BiometricStrong |

                    AndroidX.Biometric.BiometricManager.Authenticators.DeviceCredential);

                switch (canAuthenticate)

                {

                    case AndroidX.Biometric.BiometricManager.BiometricSuccess:

                        authType = LocalAuthenticationType.BiometryTouchID_Or_Fingerprint;

                        break;

                    case AndroidX.Biometric.BiometricManager.BiometricErrorNoHardware:

                    case AndroidX.Biometric.BiometricManager.BiometricErrorNoneEnrolled:

                    case AndroidX.Biometric.BiometricManager.BiometricErrorHwUnavailable:

                        authType = LocalAuthenticationType.None;

                        break;

                    default:

                        authType = LocalAuthenticationType.None;

                        break;

                }

                // 🔐 Check if device lockscreen (PIN/pattern/password) is set

                var keyguardManager = (KeyguardManager)context.GetSystemService(global::Android.Content.Context.KeyguardService);

                if (keyguardManager.IsKeyguardSecure)

                {

                    if (authType == LocalAuthenticationType.None)

                        authType = LocalAuthenticationType.Pin;

                }

                // 👆 Check permission for fingerprint usage (older Android versions)

                var permissionResult = ContextCompat.CheckSelfPermission(context, Manifest.Permission.UseFingerprint);

                if (permissionResult == global::Android.Content.PM.Permission.Granted)

                {

                    if (authType == LocalAuthenticationType.None)

                        authType = LocalAuthenticationType.BiometryTouchID_Or_Fingerprint;

                }

            }

            return authType;

        }

    }

}

I have added below permissions in my AndroidManifest.xml


<uses-permission android:name="android.permission.USE_BIOMETRIC" />

<uses-permission android:name="android.permission.USE_FINGERPRINT" />

I have register the BiometricsService like below in MAUIProgram.cs like below:


#if ANDROID

        builder.Services.AddSingleton<IBiometricsService, BiometricsService>();

#endif

Finally accessing it like below:


private readonly IBiometricsService _biometricsService;

public LoginPMAViewModel(IBiometricsService biometricsService) : base(navigationService)

{

    _biometricsService = biometricsService;

}

//accessing it like below, but value is false

var canAuthenticate = await _biometricsService.CanAuthenticate(false);

Is there anything else do we need to add make it work? And xamarin.androidx.biometric is it support for MAUI?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Tony Dinh (WICLOUD CORPORATION) 3,835 Microsoft External Staff

Hello @Sreenivasan, Sreejith !

The NuGet package Xamarin.AndroidX.Biometric provides .NET for Android and .NET MAUI bindings for the official AndroidX Biometric library. It continues to support BiometricPrompt for fingerprint, face, and device credentials on devices running API 14+, so you’re fully covered. Just make sure the package is referenced from your Android head project in MAUI.

Regarding to the issue, here are the common reasons why your existing Xamarin.Forms biometric code returns false:

In .NET MAUI, DependencyService is still available for backward compatibility, but it’s no longer the recommended way to resolve platform-specific services. It exists mainly to ease migration, and relying on it can cause initialization issues.
After migration that object may no longer exist or be initialized. In your BiometricsService, you’re using Controls.Instance as the context. In MAUI, that may not be initialized properly. Instead, use Platform.CurrentActivity (via Platform.AppContext or MauiApplication.Context) to ensure you’re passing a valid Android Context.
BiometricManager.CanAuthenticate() requires correct flags. In MAUI, you should explicitly pass:
```
    BiometricManager.Authenticators.BiometricStrong | BiometricManager.Authenticators.DeviceCredential
```
If you only pass one, some devices will return false.
Since you already added:
```
    <uses-permission android:name="android.permission.USE_BIOMETRIC" />
    <uses-permission android:name="android.permission.USE_FINGERPRINT" />
```
This is correct. But on Android 11+ (API 30+), USE_FINGERPRINT is deprecated. Ensure that you request runtime permissions for biometrics if targeting <29.

Other factors that CanAuthenticate will return false if:

No fingerprint/face enrolled
No secure lock screen set
Hardware unavailable

You can check this with:

    var keyguardManager = (KeyguardManager)context.GetSystemService(Context.KeyguardService);
    bool isSecure = keyguardManager?.IsKeyguardSecure ?? false;

You can update your BiometricsService constructor and context usage:

public BiometricsService()
{
    _context = Platform.AppContext ?? Android.App.Application.Context;
    _biometricManager = BiometricManager.From(_context);
}

And ensure your CanAuthenticate method checks both biometric and device credential:

var canAuthenticate = _biometricManager.CanAuthenticate(
    BiometricManager.Authenticators.BiometricStrong |
    BiometricManager.Authenticators.DeviceCredential);
 
return canAuthenticate == BiometricManager.BiometricSuccess;

With these adjustments, your biometric checks in MAUI should behave consistently with your Xamarin.Forms implementation.

I hope this helps! Let me know if you have solved your issue or have any questions!

Sreenivasan, Sreejith 125 Reputation points

2025-10-06T11:02:36.5166667+00:00

@Tony Dinh (WICLOUD CORPORATION) I am working on this, will update you ASAP.
Tony Dinh (WICLOUD CORPORATION) 3,835 Reputation points Microsoft External Staff

2025-10-13T02:33:34.1566667+00:00

Hello @Sreenivasan, Sreejith !

Has this issue been solved? If you agree with my suggestion, please mark this as final answer to your question, thank you!

Sreenivasan, Sreejith 125

@Tony Dinh (WICLOUD CORPORATION)

I have updated the BiometricsService as per your suggestions, but still getting false for canAuthenticate.

Below is the updated BiometricsService, could you please check and suggest if anything pending.

public class BiometricsService : IBiometricsService
{
    private readonly Context _context;
    private BiometricManager _biometricManager;
    private readonly IFingerprintAuth _fingerprintAuth; // optional, inject via DI

    // Parameterless ctor (works if you don't inject IFingerprintAuth).
    // If you plan to authenticate (BiometricPrompt), register and inject IFingerprintAuth via DI.
    public BiometricsService()
    {
        // Use MAUI Platform.AppContext if available; fallback to Android application context
        try
        {
            // Platform.AppContext is available in MAUI; we don't refer to Microsoft.Maui.* types here to avoid extra deps
            _context = global::Android.App.Application.Context;
        }
        catch
        {
            _context = global::Android.App.Application.Context;
        }

        _biometricManager = BiometricManager.From(_context);
    }

    // Constructor that supports DI for IFingerprintAuth (recommended)
    public BiometricsService(IFingerprintAuth fingerprintAuth) : this()
    {
        _fingerprintAuth = fingerprintAuth;
    }

    /// <summary>
    /// Checks whether biometric or device credential auth is available.
    /// </summary>
    /// <param name="devicePassword">If true, treat device credential (PIN/pattern/password) as acceptable.</param>
    public async Task<bool> CanAuthenticate(bool devicePassword = false)
    {
        if (_context == null)
            return false;

        // Legacy permission check for Android < Q (API 29)
        if (Build.VERSION.SdkInt < BuildVersionCodes.Q)
        {
            var perm = ContextCompat.CheckSelfPermission(_context, Manifest.Permission.UseFingerprint);
            if (perm != global::Android.Content.PM.Permission.Granted)
                return false;
        }

        _biometricManager = BiometricManager.From(_context);

        var authenticators = BiometricManager.Authenticators.BiometricStrong
                             | BiometricManager.Authenticators.DeviceCredential;

        int canAuthenticate = _biometricManager.CanAuthenticate(authenticators);

        // Debug logging suggestion:
        // Android.Util.Log.Debug("BiometricsService", $"CanAuthenticate returned: {canAuthenticate}");

        if (canAuthenticate == BiometricManager.BiometricSuccess)
            return true;

        // If device credential is allowed and device keyguard is secure — treat as true when requested
        try
        {
            var keyguardManager = (KeyguardManager)_context.GetSystemService(Context.KeyguardService);
            bool isSecure = keyguardManager?.IsKeyguardSecure ?? false;
            if (isSecure && devicePassword)
            {
                return true;
            }
        }
        catch
        {
            // swallow any platform-specific exceptions and continue returning false
        }

        return false;
    }

    /// <summary>
    /// Keep this signature to match your existing IBiometricsService.
    /// This method delegates actual prompt/auth to IFingerprintAuth when available.
    /// </summary>
    public async void AuthenticateUser(Action<bool, string> OnAuthComplete)
    {
        try
        {
            if (_fingerprintAuth != null)
            {
                var resp = await _fingerprintAuth.GetAuthenticateAsync("Authenticate");
                if (resp != null && resp.isAutheticated)
                    OnAuthComplete?.Invoke(true, string.Empty);
                else
                    OnAuthComplete?.Invoke(false, resp?.ErrorMessage ?? "Authentication failed");
            }
            else
            {
                // No IFingerprintAuth registered - return a failure message
                OnAuthComplete?.Invoke(false, "Fingerprint auth implementation not registered. Register IFingerprintAuth in MAUI DI.");
            }
        }
        catch (Exception ex)
        {
            OnAuthComplete?.Invoke(false, ex.Message);
        }
    }

    /// <summary>
    /// Returns which local authentication method is available (None/Pin/Fingerprint etc.)
    /// </summary>
    public LocalAuthenticationType CanAuthenticationWith()
    {
        LocalAuthenticationType authType = LocalAuthenticationType.None;
        var context = _context ?? global::Android.App.Application.Context;

        if (Build.VERSION.SdkInt >= BuildVersionCodes.M)
        {
            var biometricManager = BiometricManager.From(context);
            int canAuthenticate = biometricManager.CanAuthenticate(
                BiometricManager.Authenticators.BiometricStrong |
                BiometricManager.Authenticators.DeviceCredential);

            switch (canAuthenticate)
            {
                case BiometricManager.BiometricSuccess:
                    authType = LocalAuthenticationType.BiometryTouchID_Or_Fingerprint;
                    break;
                case BiometricManager.BiometricErrorNoHardware:
                case BiometricManager.BiometricErrorNoneEnrolled:
                case BiometricManager.BiometricErrorHwUnavailable:
                default:
                    authType = LocalAuthenticationType.None;
                    break;
            }

            // Check if keyguard (PIN/pattern/password) is set
            try
            {
                var keyguardManager = (KeyguardManager)context.GetSystemService(Context.KeyguardService);
                if (keyguardManager?.IsKeyguardSecure ?? false)
                {
                    if (authType == LocalAuthenticationType.None)
                        authType = LocalAuthenticationType.Pin;
                }
            }
            catch
            {
                // ignore
            }

            // legacy permission check (older Android)
            var permissionResult = ContextCompat.CheckSelfPermission(context, Manifest.Permission.UseFingerprint);
            if (permissionResult == global::Android.Content.PM.Permission.Granted)
            {
                if (authType == LocalAuthenticationType.None)
                    authType = LocalAuthenticationType.BiometryTouchID_Or_Fingerprint;
            }
        }

        return authType;
    }
}

Tony Dinh (WICLOUD CORPORATION) 3,835 Reputation points Microsoft External Staff

2025-10-14T02:58:49.8566667+00:00
Hello @Sreenivasan, Sreejith !

Your updated BiometricsService is close, but there are still a few issues that explain why CanAuthenticate always returns false in .NET MAUI. Here are the key points to address I can give:

Context Source

In your constructor you’re still using:

_context = global::Android.App.Application.Context;

In .NET MAUI this may not be tied to the current activity, which causes BiometricManager.CanAuthenticate to fail.
Example fix:

_context = Platform.AppContext ?? Android.App.Application.Context;

This ensures you’re passing a valid Context.

Debugging the Return Code

You can add logging to see the exact reason for failure, this will tell you if the issue is enrollment, hardware, or context:

int canAuthenticate = _biometricManager.CanAuthenticate(authenticators); Android.Util.Log.Debug("BiometricsService", $"CanAuthenticate returned: {canAuthenticate}");

0 → BiometricSuccess

11 → BiometricErrorNoneEnrolled

12 → BiometricErrorHwUnavailable

Permissions

Keep <uses-permission android:name="android.permission.USE_BIOMETRIC" />

Remove <uses-permission android:name="android.permission.USE_FINGERPRINT" /> if targeting API 30+, since it’s deprecated.

For API <29, ensure runtime permission requests are handled.

Enrollment & Lock Screen

Even with correct flags, CanAuthenticate will return false if:

No fingerprint/face is enrolled.

No secure lock screen is set.

You already check KeyguardManager.IsKeyguardSecure, but make sure to confirm that at least one biometric is enrolled on the device.

Dependency Injection

Your AuthenticateUser relies on IFingerprintAuth. If this isn’t registered in MauiProgram.cs, it will always fail.

builder.Services.AddSingleton<IFingerprintAuth, FingerprintAuthImplementation>();

Testing Environment

Emulators often return false unless you configure enrolled fingerprints in the emulator settings.

Always test on a physical device with biometrics enrolled.

With these adjustments, your CanAuthenticate should return true when biometrics or device credentials are properly set up.

I hope this helps!

Sreenivasan, Sreejith 125

@Tony Dinh (WICLOUD CORPORATION) I did all the new suggestions and still getting false value. I am testing it in physical device and getting -2 value for the canAuthenticate

[BiometricsService] CanAuthenticate returned: -2

-2 stands for device does not have biometric hardware. But on my device, fingerprint and screen lock are enabled and it is working fine on the xamarin version of the same project.

Updated BiometricsService:

public class BiometricsService : IBiometricsService
{
    private readonly Context _context;
    private BiometricManager _biometricManager;
    private readonly IFingerprintAuth _fingerprintAuth; // optional, inject via DI

    // Parameterless ctor (works if you don't inject IFingerprintAuth).
    // If you plan to authenticate (BiometricPrompt), register and inject IFingerprintAuth via DI.
    public BiometricsService()
    {
        // Use MAUI Platform.AppContext if available; fallback to Android application context
        try
        {
            // Platform.AppContext is available in MAUI; we don't refer to Microsoft.Maui.* types here to avoid extra deps
            //_context = global::Android.App.Application.Context;
            _context = Platform.AppContext ?? global::Android.App.Application.Context;
        }
        catch
        {
            //_context = global::Android.App.Application.Context;
            _context = Platform.AppContext ?? global::Android.App.Application.Context;
        }

        _biometricManager = BiometricManager.From(_context);
    }

    // Constructor that supports DI for IFingerprintAuth (recommended)
    public BiometricsService(IFingerprintAuth fingerprintAuth) : this()
    {
        _fingerprintAuth = fingerprintAuth;
    }

    /// <summary>
    /// Checks whether biometric or device credential auth is available.
    /// </summary>
    /// <param name="devicePassword">If true, treat device credential (PIN/pattern/password) as acceptable.</param>
    public async Task<bool> CanAuthenticate(bool devicePassword = false)
    {
        if (_context == null)
            return false;

        // Legacy permission check for Android < Q (API 29)
        if (Build.VERSION.SdkInt < BuildVersionCodes.Q)
        {
            var perm = ContextCompat.CheckSelfPermission(_context, Manifest.Permission.UseFingerprint);
            if (perm != global::Android.Content.PM.Permission.Granted)
                return false;
        }

        _biometricManager = BiometricManager.From(_context);

        var authenticators = BiometricManager.Authenticators.BiometricStrong
                             | BiometricManager.Authenticators.DeviceCredential;

        int canAuthenticate = _biometricManager.CanAuthenticate(authenticators);
        global::Android.Util.Log.Debug("BiometricsService", $"CanAuthenticate returned: {canAuthenticate}");

        // Debug logging suggestion:
        // Android.Util.Log.Debug("BiometricsService", $"CanAuthenticate returned: {canAuthenticate}");

        if (canAuthenticate == BiometricManager.BiometricSuccess)
            return true;

        // If device credential is allowed and device keyguard is secure — treat as true when requested
        try
        {
            var keyguardManager = (KeyguardManager)_context.GetSystemService(Context.KeyguardService);
            bool isSecure = keyguardManager?.IsKeyguardSecure ?? false;
            if (isSecure && devicePassword)
            {
                return true;
            }
        }
        catch
        {
            // swallow any platform-specific exceptions and continue returning false
        }

        return false;
    }

    /// <summary>
    /// Keep this signature to match your existing IBiometricsService.
    /// This method delegates actual prompt/auth to IFingerprintAuth when available.
    /// </summary>
    public async void AuthenticateUser(Action<bool, string> OnAuthComplete)
    {
        try
        {
            if (_fingerprintAuth != null)
            {
                var resp = await _fingerprintAuth.GetAuthenticateAsync("Authenticate");
                if (resp != null && resp.isAutheticated)
                    OnAuthComplete?.Invoke(true, string.Empty);
                else
                    OnAuthComplete?.Invoke(false, resp?.ErrorMessage ?? "Authentication failed");
            }
            else
            {
                // No IFingerprintAuth registered - return a failure message
                OnAuthComplete?.Invoke(false, "Fingerprint auth implementation not registered. Register IFingerprintAuth in MAUI DI.");
            }
        }
        catch (Exception ex)
        {
            OnAuthComplete?.Invoke(false, ex.Message);
        }
    }

    /// <summary>
    /// Returns which local authentication method is available (None/Pin/Fingerprint etc.)
    /// </summary>
    public LocalAuthenticationType CanAuthenticationWith()
    {
        LocalAuthenticationType authType = LocalAuthenticationType.None;
        var context = _context ?? global::Android.App.Application.Context;

        if (Build.VERSION.SdkInt >= BuildVersionCodes.M)
        {
            var biometricManager = BiometricManager.From(context);
            int canAuthenticate = biometricManager.CanAuthenticate(
                BiometricManager.Authenticators.BiometricStrong |
                BiometricManager.Authenticators.DeviceCredential);

            switch (canAuthenticate)
            {
                case BiometricManager.BiometricSuccess:
                    authType = LocalAuthenticationType.BiometryTouchID_Or_Fingerprint;
                    break;
                case BiometricManager.BiometricErrorNoHardware:
                case BiometricManager.BiometricErrorNoneEnrolled:
                case BiometricManager.BiometricErrorHwUnavailable:
                default:
                    authType = LocalAuthenticationType.None;
                    break;
            }

            // Check if keyguard (PIN/pattern/password) is set
            try
            {
                var keyguardManager = (KeyguardManager)context.GetSystemService(Context.KeyguardService);
                if (keyguardManager?.IsKeyguardSecure ?? false)
                {
                    if (authType == LocalAuthenticationType.None)
                        authType = LocalAuthenticationType.Pin;
                }
            }
            catch
            {
                // ignore
            }

            // legacy permission check (older Android)
            var permissionResult = ContextCompat.CheckSelfPermission(context, Manifest.Permission.UseFingerprint);
            if (permissionResult == global::Android.Content.PM.Permission.Granted)
            {
                if (authType == LocalAuthenticationType.None)
                    authType = LocalAuthenticationType.BiometryTouchID_Or_Fingerprint;
            }
        }

        return authType;
    }
}

Updated FingerprintAuth

public class FingerprintAuth : IFingerprintAuth
{
    static readonly string _DIALOG_FRAGMENT_TAG = "fingerprint_auth_fragment";

    FingerprintManagerApiDialogFragment _dialogFrag;
    BiometricManager _biometricManager;
    Context _context;

    FingerprintAuthenticatedResult _result;
    TaskCompletionSource<FingerprintAuthenticatedResult> _taskCompletionSource;

    public FingerprintAuth()
    {
        //_context = Android.App.Application.Context;
        _context = Platform.AppContext ?? Android.App.Application.Context;
        _biometricManager = BiometricManager.From(_context);
    }

    public async Task<bool> CanAuthenticate(bool devicePassword = false)
    {
        if (_context == null)
            return false;

        // For Android < Q, check legacy fingerprint permission
        if (Android.OS.Build.VERSION.SdkInt < Android.OS.BuildVersionCodes.Q)
        {
            var permissionResult = ContextCompat.CheckSelfPermission(_context, Manifest.Permission.UseFingerprint);
            if (permissionResult != Permission.Granted)
                return false;
        }

        // Check if device can authenticate with strong biometrics or device credential
        var canAuthenticate = _biometricManager.CanAuthenticate(
            BiometricManager.Authenticators.BiometricStrong |
            BiometricManager.Authenticators.DeviceCredential);

        return canAuthenticate == BiometricManager.BiometricSuccess;
    }

    public async Task<FingerprintAuthenticatedResult> GetAuthenticateAsync(string reason, bool devicePassword = false, CancellationToken cancellationToken = default)
    {
        _taskCompletionSource = new TaskCompletionSource<FingerprintAuthenticatedResult>();

        Authenticate(reason, cancellationToken);

        _result = await _taskCompletionSource.Task;

        return _result;
    }

    public void SetResult(FingerprintAuthenticatedResult result)
    {
        _taskCompletionSource.TrySetResult(result);
    }

    private void Authenticate(string reason, CancellationToken cancellationToken)
    {
        try
        {
            _result = new FingerprintAuthenticatedResult();

            // Use BiometricManager to create dialog fragment
            _dialogFrag = FingerprintManagerApiDialogFragment.NewInstance(_result, _biometricManager, cancellationToken, this);
            _dialogFrag.Init();

            //var currentActivity = Controls.Instance; // should be your FragmentActivity
            //var currentActivity = Controls.Instance as AndroidX.Fragment.App.FragmentActivity;
            var currentActivity = Platform.CurrentActivity as FragmentActivity;
            //_dialogFrag.Show(currentActivity.FragmentManager, _DIALOG_FRAGMENT_TAG);
            _dialogFrag.Show(currentActivity.SupportFragmentManager, _DIALOG_FRAGMENT_TAG);

        }
        catch (Exception ex)
        {
            Console.WriteLine($"FingerprintAuth Authenticate exception: {ex}");
        }
    }
}

Tony Dinh (WICLOUD CORPORATION) 3,835 Microsoft External Staff

Hello @Sreenivasan, Sreejith !

You can try to logging the _context, as it critical for BiometricManager. If Platform.AppContext is null or incorrect, it could cause BiometricManager to fail. Example code:

public BiometricsService()
{
    _context = Platform.AppContext ?? global::Android.App.Application.Context;
    global::Android.Util.Log.Debug("BiometricsService", $"Platform.AppContext is {(Platform.AppContext == null ? "null" : "not null")}");
    _biometricManager = BiometricManager.From(_context);
    global::Android.Util.Log.Debug("BiometricsService", $"Context type: {_context.GetType().FullName}");
}

Run the app and check the logcat output for the context type. It should be something like Android.App.Application or a MAUI-specific context.
If Platform.AppContext is null, the fallback to Android.App.Application.Context might not provide the correct environment for BiometricManager.

If the context is null or incorrect, try accessing the current activity’s context explicitly:

public BiometricsService()
{
    _context = Platform.CurrentActivity ?? global::Android.App.Application.Context;
    _biometricManager = BiometricManager.From(_context);
    global::Android.Util.Log.Debug("BiometricsService", $"Context type: {_context.GetType().FullName}");
}

Test Authenticator Combinations

The -2 error might occur if the specified authenticators (BiometricStrong | DeviceCredential) are not supported. Some devices may only support BiometricWeak or require different flags. You can test CanAuthenticate with different authenticator flags to isolate the issue. Modify CanAuthenticate in BiometricsService to log results for various authenticator types, example code:

public async Task<bool> CanAuthenticate(bool devicePassword = false)
{
    if (_context == null)
    {
        global::Android.Util.Log.Debug("BiometricsService", "Context is null");
        return false;
    }
 
    // Check legacy permission check for Android < Q (API 29)
    if (Build.VERSION.SdkInt < BuildVersionCodes.Q)
    {
        var perm = ContextCompat.CheckSelfPermission(_context, Manifest.Permission.UseFingerprint);
        if (perm != global::Android.Content.PM.Permission.Granted)
        {
            global::Android.Util.Log.Debug("BiometricsService", "USE_FINGERPRINT permission not granted");
            return false;
        }
    }
 
    _biometricManager = BiometricManager.From(_context);
 
    // Test different authenticator combinations
    var authenticators = new[]
    {
        BiometricManager.Authenticators.BiometricStrong,
        BiometricManager.Authenticators.BiometricWeak,
        BiometricManager.Authenticators.DeviceCredential,
        BiometricManager.Authenticators.BiometricStrong | BiometricManager.Authenticators.DeviceCredential,
        BiometricManager.Authenticators.BiometricWeak | BiometricManager.Authenticators.DeviceCredential
    };
 
    foreach (var auth in authenticators)
    {
        int result = _biometricManager.CanAuthenticate(auth);
        global::Android.Util.Log.Debug("BiometricsService", $"CanAuthenticate({auth}) returned: {result}");
        if (result == BiometricManager.BiometricSuccess)
        {
            global::Android.Util.Log.Debug("BiometricsService", $"Supported authenticator: {auth}");
            if (auth == BiometricManager.Authenticators.BiometricStrong ||
                auth == BiometricManager.Authenticators.BiometricWeak ||
                auth == (BiometricManager.Authenticators.BiometricStrong | BiometricManager.Authenticators.DeviceCredential) ||
                auth == (BiometricManager.Authenticators.BiometricWeak | BiometricManager.Authenticators.DeviceCredential))
            {
                return true;
            }
        }
    }
    // Fallback to keyguard check if devicePassword is allowed
    try
    {
        var keyguardManager = (KeyguardManager)_context.GetSystemService(Context.KeyguardService);
        bool isSecure = keyguardManager?.IsKeyguardSecure ?? false;
        global::Android.Util.Log.Debug("BiometricsService", $"Keyguard secure: {isSecure}");
        if (isSecure && devicePassword)
        {
            return true;
        }
    }
    catch (Exception ex)
    {
        global::Android.Util.Log.Debug("BiometricsService", $"Keyguard check failed: {ex.Message}");
    }
 
    return false;
}

If only BiometricWeak or DeviceCredential returns BiometricSuccess, adjust your authenticator flags:

var authenticators = BiometricManager.Authenticators.BiometricWeak | BiometricManager.Authenticators.DeviceCredential;
int canAuthenticate = _biometricManager.CanAuthenticate(authenticators);

Verify Device Biometric Enrollment

Since you’ve confirmed fingerprint and screen lock are enabled, try double-check the enrollment status programmatically, example logging confirmations:

// paste this code in CanAuthenticate after the permission check
if (canAuthenticate == BiometricManager.BiometricErrorNoneEnrolled)
{
    global::Android.Util.Log.Debug("BiometricsService", "No biometrics enrolled");
}
else if (canAuthenticate == BiometricManager.BiometricErrorNoHardware)
{
    global::Android.Util.Log.Debug("BiometricsService", "No biometric hardware detected");
}
else if (canAuthenticate == BiometricManager.BiometricErrorHwUnavailable)
{
    global::Android.Util.Log.Debug("BiometricsService", "Biometric hardware unavailable");
}

If no biometrics are enrolled (BiometricErrorNoneEnrolled), you can prompt the user to enroll a fingerprint with var intent = new Intent(Android.Provider.Settings.ActionSecuritySettings); or set up a screen lock with

Device-Specific

Some Android devices or OS versions (especially custom ROMs or specific manufacturers like Samsung, Xiaomi) may misreport biometric hardware due to quirks in the Android Biometric API. Try to log th edevie details to identify potential issues with:

global::Android.Util.Log.Debug("BiometricsService", $"Device: {Build.Manufacturer} {Build.Model}, API: {Build.VERSION.SdkInt}");

Other check if fallback

Check your NuGet Package and MAUI compatibility: The xamarin.androidx.biometric package is a binding for AndroidX Biometric, but its behavior in MAUI may differ due to platform changes.
- Ensure you’re using the latest version of xamarin.androidx.biometric. Check the NuGet package manager for updates (e.g., version 1.1.0 or higher).
- Verify your .NET MAUI version (e.g., .NET 8 or 9) and ensure compatibility with AndroidX libraries.
- Confirm the xamarin.androidx.biometric package is referenced in the Android platform project (not the shared project).
Compare with Xamarin.Forms Setup: You mentioned the code worked in Xamarin.Forms, try to compare the environment between:
- NuGet Versions: Check the xamarin.androidx.biometric version used in Xamarin.Forms vs. MAUI if match.
- Context Usage: Xamarin.Forms likely used Android.App.Application.Context or an activity context. Ensure MAUI’s context matches.
- API Level: Confirm the Android API level of the test device matches what worked in Xamarin.Forms.

If all above steps are all failed, you can try to test on another physical device or an emulator with biometric support (e.g., Android Emulator with API 30+ and biometric emulation enabled). You can provide what you find from logging output from code, device details, .NET MAUI version and xamarin.androidx.biometric NuGet version. Also, confirmation of whether KeyguardManager.IsDeviceSecure and IsKeyguardSecure return true.

I hope this helps!

Sreenivasan, Sreejith 125 Reputation points

2025-10-17T07:07:51.6466667+00:00

@Tony Dinh (WICLOUD CORPORATION) I have a build issue on VS and I can't run the app now. I need admin access to fix it, and I will get back to you with the suggested solution results ASAP. Thanks.
Tony Dinh (WICLOUD CORPORATION) 3,835 Reputation points Microsoft External Staff

2025-10-22T03:13:33.3266667+00:00

Hello @Sreenivasan, Sreejith ! Have you solved your issue? Please let me know if you stuck anywhere so I can help you!
Sreenivasan, Sreejith 125 Reputation points

2025-10-23T05:29:39.0633333+00:00

@Tony Dinh (WICLOUD CORPORATION)
I am stuck due to this issue. I can't check your last solution due to this, please give me some time, I am working on it.
Sreenivasan, Sreejith 125 Reputation points

2025-10-27T08:08:27.7333333+00:00

@Tony Dinh (WICLOUD CORPORATION)

Thank you for your guidance and sorry for the late response since I am stuck with another issue as I mentioned above.

The issue is resolved now. The root cause of the CanAuthenticate() returning -2 in our MAUI migration was due to the context being passed to BiometricManager. Using Platform.AppContext or Application.Context alone did not provide a proper Activity context, which is required for detecting biometric hardware and enrolled fingerprints. Once we updated the BiometricsService constructor to use Platform.CurrentActivity ?? Platform.AppContext ?? Application.Context, the issue was resolved, and CanAuthenticate() now correctly returns success on devices with biometrics enrolled. We have also included your suggested logging and authenticator combination checks to ensure robust detection across devices.

Thank you again for the detailed guidance, I am accepting your answer, hope you update the answer with needed changes.

Share via

xamarin.androidx.biometric: _biometricsService.CanAuthenticate always returns false

0 additional answers

Your answer