This is by design. In order to protect users' privacy, we do not wish background tabs or embedded iframes from an origin other than the outer frame's origin to be able to register a new U2F key. U2F registration yields a strong identifier for the user on the origin that gets the registration data, namely, a public key and key handle. We wish to ensure the user has given direct, informed consent of that operation. See FIDO's Privacy Principle #1:

"Require explicit, informed user consent for any operation using personal data

This includes collection and use of personal, identifiable data during registration, user verification, and transaction confirmation."

https://fidoalliance.org/assets/images/general/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf

When a registration is allowed from a background tab, the user can't know which tab is requesting access, and the consent cannot be considered informed. As a result, registration from background tabs is not allowed.

HI Juan,

I understand the reasoning and you have a point.

However, I see two issues with the current behavior:

1) chrome fails silently and lets the attempt time out. this is an issue, either because the user can't do what he expects to do and doesn't understand why or because a background tab tried a protected action and the user is not warned about it.

2) the action is still performed. Why doesn't chrome abort it as soon as the tab leaves focus?

Out of curiosity, why is a displayed foreground tab that just doesn't have window focus considered a background tab?