Fingerprint is not suggested on Chrome / Android

[bpolaszek]

Hello there, and thank you for the awesome demo! :-)

Just 1 question: the demo works well with my Macbook's built-in fingerprint device, but not with my Google Pixel 3a's one (Chrome browser). The fingerprint is just not suggested in the options. I thought at first Chrome/Android was not compatible yet, but fingerprint is correctly suggested on some other implementations, Github 2FA for example (same device/browser):

webauthn.spomky-labs.com	Github.com

Any ideas?

Thank you, Ben

[Spomky]

Hi @bpolaszek,

The fingerprint is suggested on my Android device and on the demo. Is your device rooted or not manufactured by a non-certified manufacturer? That could be the reason for this missing option.

EDIT: not relevant as no Attestation is asked ~My understanding of the Android documentation is that it only work with certified devices (ctsProfileMatch shall be true). Hereafter the requirements. As you will see, it is very restrictive!~

Device Status	Value of ctsProfileMatch
Certified, genuine device that passes CTS	true
Certified device with unlocked bootloader	false
Genuine but uncertified device, such as when the manufacturer doesn't apply for certification	false
Device with custom ROM (not rooted)	false
Emulator	false
No device (such as a protocol emulating script)	false
Signs of system integrity compromise, one of which may be rooting	false
Signs of other active attacks, such as API hooking	false

It works fine on my device so this is not coming from the protocol or the server, but the device.

EDIT2: I've just tested with Opera, Chrome, Firefox and works fine. Fails on Brave and MS Edge.

[bpolaszek]

Oh, OK I get it, but it's a different use case. I have a non-rooted Pixel 3a with up-to-date Android stock.

I originally signed up with the user ben from Macbook / Chrome / fingerprint. Then, I can sign in with the user ben from Macbook / Chrome / fingerprint. But when I try to sign in with the user ben from Pixel 3a / Android / Chrome, fingerprint is not suggested (even though it wouldn't work).

Following your comment, I just signed up with a new user _benandroid from Pixel 3a / Android / Chrome, and fingerprint was suggested (along with the other options). When I try to sign in with the user _benandroid from Pixel 3a / Android / Chrome, only fingerprint is suggested (and it works). When I try to sign in with the user _benandroid from Macbook / Chrome, USB device and fingerprint are suggested, but clicking on fingerprint immediately throws and error (without prompting to press the fingerprint device).

Macbook -> _benandroid	Click on fingerprint

So, it looks like the problem occurs when using multiple devices. Out of the scope of the demo, will figure out how to handle this myself. Just FYI.

Thank you for your work! Ben

[Spomky]

Oh OK I get it too!

Indeed the support for multiples authenticator is not implemented in this demo that's why you cannot use both the laptop and the smartphone for the same user account.

This feature is still possible and it's even recommended to register multiple authenticators. Few days ago, I created another demo, much more simpler. You will find it here: https://github.com/web-auth/demo-symfony

This other demo supports multiple authenticator registration so you should be able to add your laptop, an USB key, your smartphone or whatever device you want (no limitation). This repository has just 2 commits: after the installation of Symfony5 and after the installation of the bundle and all the stuf.

Anyway I will take time to enable the multiple authentication feature support for this demo, I will re-open the issue to keep it in my mind.

[Spomky]

Multiple authenticator is now available in the last demo version

[bpolaszek]

Thank you @Spomky! 🙏