I'm building a site that is using Webauthn for passwordless log in. Currently, this is working great on Chrome for Windows and macOS.
I'm using a YubiKey 5 to test my implementation which supports using a PIN to provide User Verification instead of just plain User Presence (i.e. user touched key's button).
However, when I try to use this same site on Chrome 76 on Android 9, I am not prompted for a pin and so the User Verification flag is not set and my log in (by design) fails.
Google has made a big deal about Android 7+ being FIDO2 compliant but I can't seem to find any mention of this critical missing feature other than an outdated article that mentions that:
We are also working on more advanced flows enabled by CTAP 2 and WebAuthn, such as PIN protected authenticators, local selection of accounts (instead of typing a username or password), and fingerprint enrollment.
Fingerprint enrollment is now supported; are PIN protected authenticators still unsupported even when the Windows and macOS versions of Chrome 76 do?
This is the relevant part of my call to navigator.credentials.create()
that should be requiring user verification:
"authenticatorSelection": {"requireResidentKey": false, "userVerification": "required"}
It turns out that this is currently not implemented in Android's Google Play Services. I've filed a bug with the Chromium project which is tracking its eventual implementation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With