I was reading this documentation;
... Such keys can only be generated or imported if at least one fingerprint is enrolled (see FingerprintManager.hasEnrolledFingerprints). These keys become permanently invalidated once a new fingerprint is enrolled or all fingerprints are unenrolled.
I get that they are invalidated permanently when all the enrolled fingerprints are unenrolled but is it so when there's a new fingerprint enrolled?
I was thinking Android Keystore abstracts the key usage from the fingerprints enrolled (when "authentication-required" set on a key) which would mean I can access the key(s) that require authentication defined by my application, regardless which enrolled fingerprint is used.
So, would that mean my keys will not be usable anymore once I enrol another fingerprint? Or I'm interpreting that statement (in bold) very wrongly?
Well apparently this is the case.
Because that's what Google chose to do to enhance security. If I get your password or pin (and that's easy with binoculars), I can add my fingerprint to make it easier for me (after I've stolen your phone). And I'd be able to do all sorts of stuff from that point on.