Fingerprint security key option not found when adding the device to an existing account

dfinity / internet-identity

Internet Identity, a blockchain authentication system for the Internet Computer

https://identity.ic0.app

Other

401 stars 135 forks source link

Fingerprint security key option not found when adding the device to an existing account #1086

Open neokree opened 1 year ago

neokree commented 1 year ago

Hello,

I recently bought a new phone, and I was trying to add it to my existing internet identity, only to find out that there isn't an option for it. Screenshot_20221211-142908

To be sure, with the same browser (Brave) I tried to create a new Identity, and this time the fingerprint option was available.

Is there a reason why you are not supporting the use of a fingerprint option when adding the device to an existing account?

Tested with a Google Pixel 6 with Android 13 installed

nmattia commented 1 year ago

Hi! apologies for the delay, was off for a few weeks.

That's really surprising. I can actually reproduce this... but not with every anchor, which is really odd. Let me investigate a bit and come back to you; thanks for the report!

EDIT: and now I can't reproduce it anymore... something odd is happening here for sure!

neokree commented 1 year ago

Hi @nmattia I also found out that the biometric authentication is available if you first recover your anchor using the seed on the new device, and after logging in you add your new device.

neokree commented 1 year ago

Maybe it's something that happens only the first time you try to connect with a new device to an existing anchor? I can reproduce it every time by trying to login to a random anchor

nmattia commented 1 year ago

Ok, so we do exclude some authenticators when creating credentials for a new device:

https://github.com/dfinity/internet-identity/blob/b66fe925fb0a337b09aaaa5beaf1a60994b19f14/src/frontend/src/flows/addDevice/welcomeView/registerTentativeDevice.ts#L142

I'm not 100% sure why it's there and what it does; @frederikrothenberger can you clarify why it's needed and what exactly it does?

frederikrothenberger commented 1 year ago

This excludes already registered devices. I.e. it prevents creating a new credential if an existing one is already available on the same WebAuthn Authenticator. So you cannot register TouchId twice using the same MacBook, but you can register TouchID and a YubiKey that is attached to the same MacBook because the YubiKey is considered a different Authenticator.

nmattia commented 1 year ago

@frederikrothenberger what happens if you have two anchors, 10000 and 10001, and 10000 has TouchID and you want to add TouchID to 10001? Is TouchID on 10000 considered registering TouchID twice?

frederikrothenberger commented 1 year ago

@nmattia: No, the excluded credential id's are the ones of the anchor you're trying to add a device to. So, when adding something to anchor 10000 you don't exclude any credentials used on other anchors.