WebAuthn UI is too easily dismissed by accidental touch of web page
Reported by
c799...@gmail.com,
Nov 8
|
||||||
Issue descriptionSteps to reproduce the problem: 1. Start to sign-in on web page supporting WebAuthn (FIDO2), such as https://demo.yubico.com/webauthn/ 2. Choose the fingerprint option and Chrome triggers a "Verify your identity -- Confirm your fingerprint ..." dialog 3. Touch the browser screen outside of the dialog 4. The sign-in fails What is the expected behavior? The WebAuthn dialog should act as a modal dialog so the underlying web page cannot be accidentally touched. Touches of the web page should be ignored, until the fingerprint is verified, or the user explicitly cancels the dialog, or a timeout occurs. What went wrong? An inadvertent touch of the web page cancels the WebAuthn sign-in before the user has a chance to confirm their fingerprint. It is very easy to slightly touch the web page on many mobiles that have screens that go very close to the edge of the handset. It is very easy to slightly touch the web page on many mobiles that have the fingerprint sensor just below the screen. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 70.0.3538.80 Channel: stable OS Version: 8.0.0 Flash Version: Congratulations on getting WebAuthn support deployed for the simpler stronger authentication it offers.
,
Nov 8
Tested the issue on android and unable to reproduce the issue Steps to reproduce: -------------------------- 1. Launched chrome and navigated to https://demo.yubico.com/webauthn/ 2. Now tried registering with it and unable to see above screen Chrome version: 70.0.3538.80 OS: Android 9.0 Android device: Pixel XL @c799878: Please check the above steps/screencast and let us know how to proceed further. Thanks!
,
Nov 8
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 9
Tested the issue in Android and able to reproduce the issue. 1. Launched chrome and navigated to https://demo.yubico.com/webauthn/ 2. Now selected finger print option and on clicking outside overlay dialog dismisses Chrome version: 70.0.3538.80, 72.0.3605.3 OS: Android 9.0 Android device: Pixel 2 XL Observations: 1. Able to reproduce this issue on 70.0.3538.80 stable build. But on installing equivalent dev build i.e;70.0.3538.80 and navigating to https://demo.yubico.com/webauthn/ chrome crashes. 2. On default chrome version 66.0.3359.158 also chrome crashes on navigating to 70.0.3538.80 3. Issue is seen on chrome channels that are available in Playstore. As we are seeing different behaviors in different builds it wouldn't be possible to provide a bisect. Hence marking as Untriaged for further triage from dev team. Thanks!
,
Nov 13
Thanks for reporting. The UI in this instance is handled by Google Play Services, not Chrome, so I will pass this feedback on to them internally. Assigning to myself to track any follow-ups.
,
Nov 13
Just a follow up that this is considered WAI by the GPS team, but they'll take this feedback into consideration for any future UI refreshes. It's a particularly good point that some phones with wrap-around displays might have problems. Thanks again for reporting!
,
Nov 14
Thanks for considering this issue. While wrap-around displays can trigger this issue, fingerprint buttons just below the screen on the front of the phone trigger the problem even more easily. I wanted to show off Chrome's new WebAuthn support on Android, but as the people tried it on their mobiles it failed on most of them. A few tried again and eventually succeeded. Only then did we notice the problem is the "modal" fingerprint dialog being inadvertently dismissed by just touching the screen. There are now Android phones with the fingerprint reader in the display (eg Vivo X21). I doubt they can work at all with this WebAuthn implementation as you can't verify your finger without touching the screen!
,
Nov 15
Those are really great points, and I've passed them along. Thanks! |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by chelamcherla@chromium.org
, Nov 8