FIDO2 registration hangs indefinitely — biometric prompt never appears (screen dims only), resolved only by clearing Google Play Services storage
165 views
Skip to first unread message
Jhuang Hung Chong
Apr 9, 2026, 3:15:56 AMApr 9
to FIDO Dev (fido-dev)
When a native Android app calls Fido2ApiClient.getRegisterPendingIntent() and startIntentSenderForResult(), the screen dims as if the GPS FIDO2 biometric prompt is about to appear, but the prompt never surfaces. No error is returned to the calling app. The operation hangs silently until the setTimeoutSeconds value is reached, at which point onActivityResult fires with FIDO2_KEY_ERROR_EXTRA containing error code 23 (TIMEOUT_ERR). The issue is persistent across app restarts and only resolves after the user manually clears Google Play Services storage (Settings → Apps → Google Play Services → Storage → Clear Storage).
Google Play services(GPS) version: 26.12.33 (190400-892550550)
SDK version: com.google.android.gms:play-services-fido:21.2.0, com.google.android.gms:play-services-base:18.10.0
Android OS level: 13
Device: Vivo V2146
Steps to reproduce
1. Build a native Android app that calls Fido2ApiClient.getRegisterPendingIntent() with a valid PublicKeyCredentialCreationOptions (valid RP ID, user entity, challenge, parameters).
2. Call activity.startIntentSenderForResult() with the returned PendingIntent and a registration request code.
3. Observe the screen dim (GPS FIDO2 activity launching).
4. Interrupt the flow mid-session — e.g. press Home, kill the app process, or let a previous incomplete registration leave GPS in an unclean state.
5. Relaunch the app and repeat step 1–3 without clearing GPS storage.
6. Observe the stuck state.
Minimal reproducible case: The issue reproduces reliably after at least one interrupted FIDO2 registration session on the same device.
Expected result
After calling startIntentSenderForResult(), the GPS FIDO2 biometric/screen-lock prompt appears within 1–2 seconds, the user authenticates, and onActivityResult fires with either a valid FIDO2_KEY_CREDENTIAL_EXTRA (success) or FIDO2_KEY_ERROR_EXTRA with an actionable error code.
Actual result
1. The screen dims as if the prompt is launching, but no biometric/screen-lock prompt is displayed.
2. onActivityResult is never called until the setTimeoutSeconds duration elapses.
3. After timeout, onActivityResult fires with FIDO2_KEY_ERROR_EXTRA containing:
errorCode: 23 (TIMEOUT_ERR)
errorMessage: (timeout message)
4. The issue persists across app restarts.
5. The issue resolves immediately after the user navigates to Settings → Apps → Google Play Services → Storage → Clear Storage, confirming GPS is holding corrupted internal session state from a previous interrupted registration.
Relevant logcat output
Additional context
1. The GPS FIDO2 AuthenticateChimeraActivity appears to retain an in-progress operation state across sessions. When a new registration attempt is made, GPS is unable to recover from the prior interrupted state and silently hangs instead of returning an error.
2. Clearing GPS storage resets this state and registration works normally on the next attempt.
3. This issue has also been independently reported on GrapheneOS issue tracker #3867 with an IllegalStateException in AuthenticateChimeraActivity.
4. The GPS internal error code involved is likely 50151 (state corruption during key generation) or 50162 (Folsom sync key failure), but both are swallowed and never surfaced to the calling app — only the final TIMEOUT_ERR (code 23) is delivered after the full timeout duration.
Google Play services(GPS) version: 26.12.33 (190400-892550550)
SDK version: com.google.android.gms:play-services-fido:21.2.0, com.google.android.gms:play-services-base:18.10.0
Android OS level: 13
Device: Vivo V2146
Steps to reproduce
1. Build a native Android app that calls Fido2ApiClient.getRegisterPendingIntent() with a valid PublicKeyCredentialCreationOptions (valid RP ID, user entity, challenge, parameters).
2. Call activity.startIntentSenderForResult() with the returned PendingIntent and a registration request code.
3. Observe the screen dim (GPS FIDO2 activity launching).
4. Interrupt the flow mid-session — e.g. press Home, kill the app process, or let a previous incomplete registration leave GPS in an unclean state.
5. Relaunch the app and repeat step 1–3 without clearing GPS storage.
6. Observe the stuck state.
Minimal reproducible case: The issue reproduces reliably after at least one interrupted FIDO2 registration session on the same device.
Expected result
After calling startIntentSenderForResult(), the GPS FIDO2 biometric/screen-lock prompt appears within 1–2 seconds, the user authenticates, and onActivityResult fires with either a valid FIDO2_KEY_CREDENTIAL_EXTRA (success) or FIDO2_KEY_ERROR_EXTRA with an actionable error code.
Actual result
1. The screen dims as if the prompt is launching, but no biometric/screen-lock prompt is displayed.
2. onActivityResult is never called until the setTimeoutSeconds duration elapses.
3. After timeout, onActivityResult fires with FIDO2_KEY_ERROR_EXTRA containing:
errorCode: 23 (TIMEOUT_ERR)
errorMessage: (timeout message)
4. The issue persists across app restarts.
5. The issue resolves immediately after the user navigates to Settings → Apps → Google Play Services → Storage → Clear Storage, confirming GPS is holding corrupted internal session state from a previous interrupted registration.
Relevant logcat output
Additional context
1. The GPS FIDO2 AuthenticateChimeraActivity appears to retain an in-progress operation state across sessions. When a new registration attempt is made, GPS is unable to recover from the prior interrupted state and silently hangs instead of returning an error.
2. Clearing GPS storage resets this state and registration works normally on the next attempt.
3. This issue has also been independently reported on GrapheneOS issue tracker #3867 with an IllegalStateException in AuthenticateChimeraActivity.
4. The GPS internal error code involved is likely 50151 (state corruption during key generation) or 50162 (Folsom sync key failure), but both are swallowed and never surfaced to the calling app — only the final TIMEOUT_ERR (code 23) is delivered after the full timeout duration.
최욱진
Apr 14, 2026, 10:02:56 AMApr 14
to FIDO Dev (fido-dev), Jhuang Hung Chong
We are experiencing the same issue in our app.
Interestingly, between April 7 and April 9, the issue suddenly stopped occurring on all affected devices, even though we did not make any changes on our side (no app update or configuration change).
This makes us suspect that there may have been a change or fix in Google Play services.
Has this issue been resolved recently?
Also, do you have any insights into the root cause?
Interestingly, between April 7 and April 9, the issue suddenly stopped occurring on all affected devices, even though we did not make any changes on our side (no app update or configuration change).
This makes us suspect that there may have been a change or fix in Google Play services.
Has this issue been resolved recently?
Also, do you have any insights into the root cause?
2026년 4월 9일 목요일 오후 4시 15분 56초 UTC+9에 Jhuang Hung Chong님이 작성:
Jhuang Hung Chong
Apr 14, 2026, 11:31:22 PMApr 14
to FIDO Dev (fido-dev), 최욱진, Jhuang Hung Chong
Hi there,
Glad to see we are not the only one facing the issue.
I specifically encountered the issue on 31 Apr and 7 Apr,
Glad to see we are not the only one facing the issue.
I specifically encountered the issue on 31 Apr and 7 Apr,
The root cause of the issue is not resolved,
it just magically disappeared for the issue without update on Google Play Service.
Some of the insight I found is, via using adb bugreport,
60905 Auth.Api.Credentials: [InitSignatureOperation] Operation started.
60906 keystore2: create_operation, 10190, 10499
60907 E keystore2: In create_operation.
60910 E keystore2: In authorize_create: matching auth token is expired.
60911 E keystore2: Error::Km(ErrorCode(-26))
60906 keystore2: create_operation, 10190, 10499
60907 E keystore2: In create_operation.
60910 E keystore2: In authorize_create: matching auth token is expired.
60911 E keystore2: Error::Km(ErrorCode(-26))
During
[InitSignatureOperation]
in the FIDO2 registration flow, Android KeyStore2 returned KEY_USER_NOT_AUTHENTICATED
(Keymaster ErrorCode(-26)
) with message: "In authorize_create: matching auth token is expired."
GPS's RegistrationActivity
exited silently within ~1 second without showing any biometric/screen-lock prompt and without returning an actionable error to the calling app. GPS should handle KEY_USER_NOT_AUTHENTICATED
during InitSignatureOperation
by prompting the user to re-authenticate and retrying the KeyStore operation, rather than silently exiting and causing the caller to hang until setTimeoutSeconds
elapses.Reply all
Reply to author
Forward
0 new messages