New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 669913 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 15
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: Feature



Sign in to add a comment

Support on-device fingerprint scanner

Project Member Reported by stillers@google.com, Nov 30 2016

Issue description

Add APIs to allow websites to determine whether a user is present, and whether they're an authorized user of the device.

This is needed for progressive web apps to provide security features similar to that available to native apps.

The corresponding Android API:

https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication

iOS:

https://developer.apple.com/reference/localauthentication
 

Comment 1 by owe...@chromium.org, Nov 30 2016

Cc: sabineb@chromium.org
Thanks for filing this! It's in the go/fizz-features backlog but we've not yet prioritized it due to no developer requests.

That said, I've seen an increasing use of it on iOS lately so it may be time to start doing something. I've reached out to a couple folk for their thoughts, perhaps a good 2017 project!
Components: Blink

Comment 3 by owe...@chromium.org, Feb 20 2018

Cc: engedy@chromium.org
Status: Available (was: Untriaged)
Balazs - am I right in saying that when we ship WebAuthN that will include support for sites to use the fingerprint scanner?

Comment 4 by engedy@chromium.org, Feb 20 2018

Cc: martinkr@google.com
Components: -Blink Blink>WebAuthentication
You are correct that the long-term plan is to expose these devices through the WebAuthN API. More specifically, when calling the API to request an assertion, the relying party will have the option to require user verification [1], which can indeed be implemented through biometrics.

Note that, however, unless the fingerprint reader exposes itself as FIDO U2F or CTAP 2.0 authenticator, we will need to add some amount of logic in Chrome on each platform for each kind of biometric device.

1: https://www.w3.org/TR/webauthn/#enumdef-userverificationrequirement

Comment 5 by stillers@google.com, Feb 21 2018

> we will need to add some amount of logic in Chrome on each platform for each kind of biometric device

So, to be clear, if Android apps on a particular device support the fingerprint scanner (via the standard Android API), will it be supported by Chrome, with the same security properties?
Well, Chrome's support is completely independent of other apps' support for the fingerprint scanner. 

The WebAuthN API will support the use of creating WebAuthN credentials and assertions with the fingerprint scanner, with all the security guarantees that the WebAuthN API provides. I don't know that they are one and the same as those of the Android API.

In the case of Android, the logic in Chrome actually calls the FIDO2 GMSCore API, which does the actual interaction with the fingerprint scanner by treating the scanner as a CTAP 2.0 authenticator.

Comment 7 by engedy@chromium.org, Mar 31 2018

Labels: -Pri-3 M-69 Pri-2
Status: Started (was: Available)
Kim, I'm assigning this to you, given this bug is Android-specific, and mark it as started, as you have started work on interfacing with the GMSCore API (in  Issue 678885 ).

Could you please update the milestone accordingly? (I'm not sure how soon the GMSCore API will be equipped to handle the fingerprint scanner.)
Owner: kpaulhamus@chromium.org
Yep, sounds good. And M69 is correct. 
Labels: -M-69 M-70
Status: Fixed (was: Started)

Sign in to add a comment