New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 669913 link

Starred by 4 users
Status: Fixed
Owner:
kpaulhamus@chromium.org
Closed: Aug 15
Cc:
martinkr@google.com
engedy@chromium.org
owe...@chromium.org
sabineb@chromium.org
kenrb@chromium.org
ssoneff@google.com
kpaulhamus@chromium.org
jdoerrie@chromium.org
mknowles@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Feature



Sign in to add a comment

Support on-device fingerprint scanner

Project Member Reported by stillers@google.com, Nov 30 2016 
Add APIs to allow websites to determine whether a user is present, and whether they're an authorized user of the device.

This is needed for progressive web apps to provide security features similar to that available to native apps.

The corresponding Android API:

https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication

iOS:

https://developer.apple.com/reference/localauthentication

Comment 1 by owe...@chromium.org, Nov 30 2016

Cc: sabineb@chromium.org
Thanks for filing this! It's in the go/fizz-features backlog but we've not yet prioritized it due to no developer requests.

That said, I've seen an increasing use of it on iOS lately so it may be time to start doing something. I've reached out to a couple folk for their thoughts, perhaps a good 2017 project!

Comment 2 by dtapu...@chromium.org, Feb 20 2018

Components: Blink

Comment 3 by owe...@chromium.org, Feb 20 2018

Cc: engedy@chromium.org
Status: Available (was: Untriaged)
Balazs - am I right in saying that when we ship WebAuthN that will include support for sites to use the fingerprint scanner?

Comment 4 by engedy@chromium.org, Feb 20 2018

Cc: martinkr@google.com
Components: -Blink Blink>WebAuthentication
You are correct that the long-term plan is to expose these devices through the WebAuthN API. More specifically, when calling the API to request an assertion, the relying party will have the option to require user verification [1], which can indeed be implemented through biometrics.

Note that, however, unless the fingerprint reader exposes itself as FIDO U2F or CTAP 2.0 authenticator, we will need to add some amount of logic in Chrome on each platform for each kind of biometric device.

1: https://www.w3.org/TR/webauthn/#enumdef-userverificationrequirement

Comment 5 by stillers@google.com, Feb 21 2018 

> we will need to add some amount of logic in Chrome on each platform for each kind of biometric device

So, to be clear, if Android apps on a particular device support the fingerprint scanner (via the standard Android API), will it be supported by Chrome, with the same security properties?

Comment 6 by kpaulhamus@chromium.org, Feb 21 2018 

Well, Chrome's support is completely independent of other apps' support for the fingerprint scanner. 

The WebAuthN API will support the use of creating WebAuthN credentials and assertions with the fingerprint scanner, with all the security guarantees that the WebAuthN API provides. I don't know that they are one and the same as those of the Android API.

In the case of Android, the logic in Chrome actually calls the FIDO2 GMSCore API, which does the actual interaction with the fingerprint scanner by treating the scanner as a CTAP 2.0 authenticator.

Comment 7 by engedy@chromium.org, Mar 31 2018

Labels: -Pri-3 M-69 Pri-2
Status: Started (was: Available)
Kim, I'm assigning this to you, given this bug is Android-specific, and mark it as started, as you have started work on interfacing with the GMSCore API (in  Issue 678885 ).

Could you please update the milestone accordingly? (I'm not sure how soon the GMSCore API will be equipped to handle the fingerprint scanner.)

Comment 8 by kpaulhamus@chromium.org, Apr 2 2018

Owner: kpaulhamus@chromium.org
Yep, sounds good. And M69 is correct.

Comment 9 by kpaulhamus@chromium.org, Aug 15

Labels: -M-69 M-70
Status: Fixed (was: Started)

Sign in to add a comment