Last updated

Introduction

The FACETID (facet ID) is a unique identifier used in FIDO2/WebAuthn for Android apps that provides:

FeatureDescription
App Identity VerificationIt uniquely identifies which Android app is requesting FIDO2 credentials, based on the app’s signing certificate.
Prevents App SpoofingOnly the app signed with the same certificate can access the credentials created under that FACETID. This protects against malicious apps pretending to be your app.
Credential BindingFIDO2 credentials (public keys) are bound to the FACETID, ensuring they can only be used by the same app in the future.
Trust Anchor in WebAuthnThe FACETID is sent during registration and authentication. Relying parties use it to validate app origin and enforce app-level access control.

In order to use the Belvo Android SDK for biometric authentication, you need to generate a FACETID for your app. This is essential for FIDO2/WebAuthn operations and is used to ensure that the credentials are securely bound to your app. In this guide, we will walk you through the steps to generate a FACETID for your Android app.

Generating FACETID

To generate your app's FACETID:

  1. Locate your app’s signing certificate (usually .jks or .keystore). For example: my-release-key.jks
  2. Export the signing certificate in .der format.
Export Signing Certificate
## Export the certificate
keytool -exportcert \
  -alias your-key-alias \
  -keystore my-release-key.jks \
  -storepass your-keystore-password \
  -rfc > cert.pem

## Convert to DER format
openssl x509 -in cert.pem -outform DER -out cert.der
  1. Generate the SHA-256 hash of the certificate
Generate SHA-256 Hash
openssl dgst -sha256 -binary cert.der | openssl base64 -A
  1. Convert Base64 to Base64URL:
    • Replace + with -
    • Replace / with _
    • Remove = padding at the end of the string.

For example, nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai/5ahhSE08= becomes nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai_5ahhSE08.

  1. Build the FACETID
Building FACETID Example
## FACETID format
android:apk-key-hash:<base64url_encoded_hash>

## Example with Base64URL encoded hash
android:apk-key-hash:nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai_5ahhSE08
  1. Share your FACETID with Belvo.
Done!

Done! You have successfully generated your app's FACETID. After you have shared it with Belvo, you can continue with the integration of the Belvo Android SDK for biometric payments.

Handy Script

Our fantastic developer team has created a handy script to help automate the FACETID generation process.

How to use:

  1. Save the code below as generate_facetid.sh.
  2. Update the KEYSTORE_PATH, ALIAS, and STOREPASS variables with your app's details.
  3. Make the script executable: chmod +x generate_facetid.sh
  4. Run the script: ./generate_facetid.sh

Check it out below:

FACETID Generation Script
#!/bin/bash

# === CONFIGURATION ===
KEYSTORE_PATH="my-release-key.jks"
ALIAS="your-key-alias"
STOREPASS="your-keystore-password"

# === TEMP FILES ===
CERT_PEM="cert.pem"
CERT_DER="cert.der"

# === 1. Export cert in PEM format ===
echo "[*] Exporting cert to PEM..."
keytool -exportcert -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$STOREPASS" -rfc > "$CERT_PEM"

# === 2. Convert PEM to DER ===
echo "[*] Converting PEM to DER..."
openssl x509 -in "$CERT_PEM" -outform DER -out "$CERT_DER"

# === 3. SHA-256 hash + Base64 ===
echo "[*] Generating SHA-256 hash..."
BASE64_HASH=$(openssl dgst -sha256 -binary "$CERT_DER" | openssl base64 -A)

# === 4. Convert Base64 to Base64URL ===
FACET_HASH=$(echo "$BASE64_HASH" | tr '+/' '-_' | tr -d '=')

# === 5. Output ===
echo ""
echo "✅ FACETID:"
echo "android:apk-key-hash:$FACET_HASH"