Touchid webauthn fingerprint authentication doesn't work cross browser

[devd]

Description

I have my touchid registered as a webauthn device on github, okta, google for MFA. When I switch to Brave and try to use it, it fails. I am able to register the touchid on the yubikey test site https://demo.yubico.com/webauthn-technical/registration (I tried on brave nightly cos I believe release branch right now has issues with touchid webauthn)

Steps to Reproduce

1. Register your touchid as a webauthn device on github on chrome
2. try to login to github on brave using the same touchid
3. See error

Actual result:

Expected result:

I login!

Reproduces how often:

Reliably for me and another Brave user

Brave version (brave://version info)

Brave	1.17.32 Chromium: 86.0.4240.80 (Official Build) nightly (x86_64)
Revision	7ed88b53bda45a2d19efb4f8706dd6b6cad0d3af-refs/branch-heads/4240@{#1183}
OS	macOS Version 10.15.6 (Build 19G2021)
JavaScript	V8 8.6.395.10
Flash	(Disabled)
User Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36

Version/Channel Information:

All channels

• Can you reproduce this issue with the current release?
  I believe so but current release has webauthn broken (Fingerprint webauthn doesn't work #11716 )

• Can you reproduce this issue with the beta channel?

• Can you reproduce this issue with the nightly channel?
  yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields?
• Does the issue resolve itself when disabling Brave Rewards?
• Is the issue reproducible on the latest version of Chrome?
  no

[diracdeltas]

cc @jumde

[jumde]

@devd - Thanks for filing this issue, I'm seeing the same behavior with a new profile on Chrome. Are you seeing the same?

[devd]

huh you are right. My bad: should have tested on chrome. I filed https://bugs.chromium.org/p/chromium/issues/detail?id=1139568 If you want to close this out, that's fine.

thanks for the quick response! 🙏

[jumde]

Thanks for checking @devd - We'll keep this issue open to track the upstream issue.

[sirwomble]

Similar issue - https://community.brave.com/t/yubikey-not-working-using-brave-on-ubuntu-20-04/168773/8

Works for me in Firefox and Chrome fine, Brave not playing ball. This is on Ubuntu 20.04.

[bsclifton]

Updated - https://bugs.chromium.org/p/chromium/issues/detail?id=1139568 closed as wontfix

Yes, this is by design. When you register a WebAuthn credential in Chrome's macOS platform authenticator, Chrome needs to persist certain metadata, like the origin that the credential is scoped to. Since the authenticator is essentially a part of Chrome, we treat this metadata like we would treat any other browsing-associated data (e.g. history, cookies, or passwords) and associate it with the browsing profile.

You're correct that it does work in Incognito: Incognito windows belong to the same profile that spawned them, so you can access the "parent profile" credentials there. This is similar to how you can fill a saved password or credit card number in an Incognito window.

UX-wise this is different from how platform authenticators work on other OSes, like Android or Windows. That's because the platform authenticators there are a feature of the OS, whereas this one is a Chrome-implemented feature. Apple recently shipped their own platform authenticator in macOS; hopefully Chrome gets to use that one day, but Apple hasn't opened it to other browsers so far.