Does Chrome on Android support User Verification on security key using Webauthn / FIDO2?
Asked Answered
B

1

8

I'm building a site that is using Webauthn for passwordless log in. Currently, this is working great on Chrome for Windows and macOS.

I'm using a YubiKey 5 to test my implementation which supports using a PIN to provide User Verification instead of just plain User Presence (i.e. user touched key's button).

Windows PIN prompt

However, when I try to use this same site on Chrome 76 on Android 9, I am not prompted for a pin and so the User Verification flag is not set and my log in (by design) fails.

Google has made a big deal about Android 7+ being FIDO2 compliant but I can't seem to find any mention of this critical missing feature other than an outdated article that mentions that:

We are also working on more advanced flows enabled by CTAP 2 and WebAuthn, such as PIN protected authenticators, local selection of accounts (instead of typing a username or password), and fingerprint enrollment.

Fingerprint enrollment is now supported; are PIN protected authenticators still unsupported even when the Windows and macOS versions of Chrome 76 do?

This is the relevant part of my call to navigator.credentials.create() that should be requiring user verification:

"authenticatorSelection": {"requireResidentKey": false, "userVerification": "required"}
Birchfield answered 24/8, 2019 at 22:1 Comment(1)
You might want to check the Chromium bug list: bugs.chromium.org/p/chromium/issues/… and see if there is a similar issue ticket.Viridian
B
2

It turns out that this is currently not implemented in Android's Google Play Services. I've filed a bug with the Chromium project which is tracking its eventual implementation.

Birchfield answered 29/8, 2019 at 2:33 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.