Magisk: Require fingerprint to disable fingerprint authentication

Your phone is not a house & that gate is not our phone security...

Sorry if it's ambiguous. I'm talking about MagiskManager's setting to require a fingerprint authentication before allowing root operations.

It's not about security, it's about just an easy way to give root permission.
You realize that by clearing Magisk app data, fingerprint will be removed right?

If you need security, revert to stock, lock the bootloader and encrypt your phone.

You realize that by clearing Magisk app data, fingerprint will be removed right?

Hm if that's true than that's no good. Something needs to be done about this - store the relevant data in sudb instead of app data maybe? This discussion is interesting but out of scope of this particular issue.

Couple of points regarding your comment:

It's not about security, it's about just an easy way to give root permission.

I beg to disagree. Two claims here, let me address both:
"Easiness": Having fingerprint authentication in Magisk in no way makes it easier to to give root permission to an app requesting it.
"Not about security": I can think of at least one vector of attack that fingerprint authentication can help disarm - an app with accessibility permissions just tapping on "grant root permission" button without the user. With current state of things, the hypothetical malicious app would be able to disable fingerprint auth setting in Magisk Manager settings and then proceed to giving itself root permissions.

If you need security, revert to stock, lock the bootloader and encrypt your phone.

Security is not black or white. It's about making it as hard as possible for adversaries to compromise the system. It is possible to have a reasonably secure rooted phone where you don't have to worry that obvious bugs or backdoors in the rooting software are compromising your phone more so than it already is (unlocked bootloader, apps you trust with root permission, etc).

Stepping back a bit, I'm surprised that I'm getting such defensive comments on what very clearly is a bug in the software. I'm in no way attacking anyone here. Magisk is an amazing piece of software and a step in the right direction - for once we have an OSS rooting software that works!
It can be made better though, and it should.

I don't think there should be a fingerprint authentication feature, it brings a false sense of security.

The developer must make access to the manager by fingerprint or pin code. When you request a request, you are asked to confirm yes, but you can go into the manager without a password and just put the checkbox to either application. So yes. The picture of the author is relevant. Holes are safe.

Great points, changes will be added!

Plus the Fingerprint setting is moved to the Magisk database making it immune to app data clear:

https://github.com/topjohnwu/Magisk/commit/d56e1b2cc5253acf66717c3d39f152593df2e323

That's even more cool and it's (kinda) secure now :D

Make then a PIN password if you are confused by the use of fingerprint.