Thales FaceID removal

Since Protector OATH SDK V6.0, the optional Thales FaceId feature is no longer supported. Customers who are using specific SDK package including this feature will have to migrate to the standard SDK package.


In terms of APIs, the Thales FaceID package contains a combination of the standard package and Thales FaceID support. So, migrating to the standard package only requires you to remove the Thales FaceID API calls, the other features such as Token, OOB, Secure Storage, and their data (for example the provisioned Tokens, and enrolled OOB client) are not affected. The application can use other authenticators in the standard package, for example, device FingerPrint/FaceId to replace Thales FaceId.

Steps to migrate from Thales FaceID version to the standard version

Since Thales FaceID support is removed, you can perform the following steps to clean up the existing apps. In general, this includes:

  • Removing the camera-related permissions.
    • If the other components of the application do not require this permission, the application should remove it.
  • Removing the face assets/libraries.
  • Removing the discontinuous FaceID related APIs such as face enrollment, authentication with face, and so on.
  • Removing the FaceID runtime data/files.

Optionally, you can use other supported authentication methods such as BioFingerprint and Biometric.


The following permissions can be removed from the AndroidManifest.xml file, unless it is needed by another application component.

<uses-permission android:name="android.permission.CAMERA"/> 
<uses-permission android:name="android.permission.READ_PHONE_STATE"/> 
<uses-feature android:name=""/>


These assets are no longer needed:

  • data/FacesCreateTemplateMediumLite.ndf
  • data/FacesCreateTemplateSmall.ndf
  • data/FacesDetectSegmentsFeaturePointsTrack.ndf
  • data/FacesDetectSegmentsLiveness.ndf
  • data/FacesDetectSegmentsOrientation.ndf

Shared library

Remove the following shared library (.so) files:


API updates

The following packages are changed, so you have to update your applications accordingly:

Package name Status REMOVED REMOVED

Facial data files

There are some data files created by the FaceID module which can be removed to save space. These files are in the application private folder (for example, /data/data/package-name):

Folder (inside the private folder) File name
databases eziosdk_02.db
databases eziosdk_02.db-journal
files eziosdk.ems.lic
files eziosdk_nt_01.db
files FacialAES128keystore
files FacialAES128run.dat
files NTFacialAES128keystore_V1
files NTFacialAES128run.dat

The following sample code snippet is used to remove these files:

    private void cleanup() {
        Context context = getContext();

        String[] fileToDelete = new String[]{

        File based = context.getFilesDir().getParentFile();
        for (String filePath : fileToDelete)
            (new File(based, filePath)).delete();

(Optional) Using BioFingerprint/Biometric

To replace Thales FaceID authentication, you may use other authenticators supported by Protector OATH SDK, for example BioFingerprint and Android Biometric (including fingerprint, face and iris depending on the devices used). Here are some basic steps to activate biometric for token authentication on Android 9 or later:

// Create AuthenticationModule. It's the entry point for all authentication related features.
AuthenticationModule authModule = AuthenticationModule.create();

// Create an object that represents biometric authentication service
BiometricAuthService biometricAuthSvc = BiometricAuthService.create(authModule);

// Application should first check if the device is supporting this authenticator or not
boolean canUseBiometric = biometricAuthSvc.canAuthenticate();

// Finally, activate the biometric on the token
try {
    // Get object that represents biometric authentication functionality
    BiometricAuthMode biometricAuthMode = biometricAuthSvc.getAuthMode();

    // Activate biometric authentication mode
    // The token's pin must be passed in order to activate biometric mode
    token.activateAuthMode(biometricAuthMode, pinAuthInput);
catch (IdpException e) {
   // Handle exceptions flow here

For detail information, refer to: