I am not sure I understand your question. Do you mean login into a backend either your own or using something like *Google sign-in*?

For this case, a good practice would be, first login/authenticate the user account/password against the backend. After that first authentication, continue with fingerprint authentication (until device reboots, new fingerprint is added/remove…)

Android fingerprint itself only requires USE_FINGERPRINT permission but, this is not a *dangerous* permission. No need to request it at runtime (no user friction).

Login into a particular backend, should not require any *dangerous* permission either. It should be a (secure) exchange between the mobile device and the backend.

I remember *Google sign-in* required some permissions in the past, but I think that’s not the case anymore in recent versions.

I am not sure I answered your question, please let me know.