FIDO2 registration hangs indefinitely — biometric prompt never appears (screen dims only), resolved only by clearing Google Play Services storage
9 views
Skip to first unread message
Jhuang Hung Chong
3:15 AM (2 hours ago) 3:15 AM
to FIDO Dev (fido-dev)
When a native Android app calls Fido2ApiClient.getRegisterPendingIntent() and startIntentSenderForResult(), the screen dims as if the GPS FIDO2 biometric prompt is about to appear, but the prompt never surfaces. No error is returned to the calling app. The operation hangs silently until the setTimeoutSeconds value is reached, at which point onActivityResult fires with FIDO2_KEY_ERROR_EXTRA containing error code 23 (TIMEOUT_ERR). The issue is persistent across app restarts and only resolves after the user manually clears Google Play Services storage (Settings → Apps → Google Play Services → Storage → Clear Storage).
Google Play services(GPS) version: 26.12.33 (190400-892550550)
SDK version: com.google.android.gms:play-services-fido:21.2.0, com.google.android.gms:play-services-base:18.10.0
Android OS level: 13
Device: Vivo V2146
Steps to reproduce
1. Build a native Android app that calls Fido2ApiClient.getRegisterPendingIntent() with a valid PublicKeyCredentialCreationOptions (valid RP ID, user entity, challenge, parameters).
2. Call activity.startIntentSenderForResult() with the returned PendingIntent and a registration request code.
3. Observe the screen dim (GPS FIDO2 activity launching).
4. Interrupt the flow mid-session — e.g. press Home, kill the app process, or let a previous incomplete registration leave GPS in an unclean state.
5. Relaunch the app and repeat step 1–3 without clearing GPS storage.
6. Observe the stuck state.
Minimal reproducible case: The issue reproduces reliably after at least one interrupted FIDO2 registration session on the same device.
Expected result
After calling startIntentSenderForResult(), the GPS FIDO2 biometric/screen-lock prompt appears within 1–2 seconds, the user authenticates, and onActivityResult fires with either a valid FIDO2_KEY_CREDENTIAL_EXTRA (success) or FIDO2_KEY_ERROR_EXTRA with an actionable error code.
Actual result
1. The screen dims as if the prompt is launching, but no biometric/screen-lock prompt is displayed.
2. onActivityResult is never called until the setTimeoutSeconds duration elapses.
3. After timeout, onActivityResult fires with FIDO2_KEY_ERROR_EXTRA containing:
errorCode: 23 (TIMEOUT_ERR)
errorMessage: (timeout message)
4. The issue persists across app restarts.
5. The issue resolves immediately after the user navigates to Settings → Apps → Google Play Services → Storage → Clear Storage, confirming GPS is holding corrupted internal session state from a previous interrupted registration.
Relevant logcat output
Additional context
1. The GPS FIDO2 AuthenticateChimeraActivity appears to retain an in-progress operation state across sessions. When a new registration attempt is made, GPS is unable to recover from the prior interrupted state and silently hangs instead of returning an error.
2. Clearing GPS storage resets this state and registration works normally on the next attempt.
3. This issue has also been independently reported on GrapheneOS issue tracker #3867 with an IllegalStateException in AuthenticateChimeraActivity.
4. The GPS internal error code involved is likely 50151 (state corruption during key generation) or 50162 (Folsom sync key failure), but both are swallowed and never surfaced to the calling app — only the final TIMEOUT_ERR (code 23) is delivered after the full timeout duration.
Google Play services(GPS) version: 26.12.33 (190400-892550550)
SDK version: com.google.android.gms:play-services-fido:21.2.0, com.google.android.gms:play-services-base:18.10.0
Android OS level: 13
Device: Vivo V2146
Steps to reproduce
1. Build a native Android app that calls Fido2ApiClient.getRegisterPendingIntent() with a valid PublicKeyCredentialCreationOptions (valid RP ID, user entity, challenge, parameters).
2. Call activity.startIntentSenderForResult() with the returned PendingIntent and a registration request code.
3. Observe the screen dim (GPS FIDO2 activity launching).
4. Interrupt the flow mid-session — e.g. press Home, kill the app process, or let a previous incomplete registration leave GPS in an unclean state.
5. Relaunch the app and repeat step 1–3 without clearing GPS storage.
6. Observe the stuck state.
Minimal reproducible case: The issue reproduces reliably after at least one interrupted FIDO2 registration session on the same device.
Expected result
After calling startIntentSenderForResult(), the GPS FIDO2 biometric/screen-lock prompt appears within 1–2 seconds, the user authenticates, and onActivityResult fires with either a valid FIDO2_KEY_CREDENTIAL_EXTRA (success) or FIDO2_KEY_ERROR_EXTRA with an actionable error code.
Actual result
1. The screen dims as if the prompt is launching, but no biometric/screen-lock prompt is displayed.
2. onActivityResult is never called until the setTimeoutSeconds duration elapses.
3. After timeout, onActivityResult fires with FIDO2_KEY_ERROR_EXTRA containing:
errorCode: 23 (TIMEOUT_ERR)
errorMessage: (timeout message)
4. The issue persists across app restarts.
5. The issue resolves immediately after the user navigates to Settings → Apps → Google Play Services → Storage → Clear Storage, confirming GPS is holding corrupted internal session state from a previous interrupted registration.
Relevant logcat output
Additional context
1. The GPS FIDO2 AuthenticateChimeraActivity appears to retain an in-progress operation state across sessions. When a new registration attempt is made, GPS is unable to recover from the prior interrupted state and silently hangs instead of returning an error.
2. Clearing GPS storage resets this state and registration works normally on the next attempt.
3. This issue has also been independently reported on GrapheneOS issue tracker #3867 with an IllegalStateException in AuthenticateChimeraActivity.
4. The GPS internal error code involved is likely 50151 (state corruption during key generation) or 50162 (Folsom sync key failure), but both are swallowed and never surfaced to the calling app — only the final TIMEOUT_ERR (code 23) is delivered after the full timeout duration.
Reply all
Reply to author
Forward
0 new messages