AGOV Registration Bug: How Keyboard Layouts Can Break Government Digital Identity

AGOV Registration Bug: How Keyboard Layouts Can Break Government Digital Identity

AZERTY Keyboard Layouts Blocked by AGOV Registration

A critical accessibility bug in the Swiss governmental login system, AGOV, prevented users with AZERTY keyboard layouts from completing the email verification process. The issue stemmed from custom JavaScript that intercepted key presses to manage a six-digit verification code; this logic explicitly rejected the Shift key, making it impossible for users of French (AZERTY) keyboards—where digits are accessed via the Shift key—to enter any numbers.

This bug highlights a significant failure in inclusive design, as it effectively locked out a portion of the population (including French nationals living in Switzerland) from a system that is increasingly mandatory for essential services like unemployment insurance and tax filing.

The Technical Cause: Intercepting Raw Key Events

The bug was discovered through a deep dive into the AGOV registration page's JavaScript. The system does not use a standard HTML input field for the verification code; instead, it uses six separate boxes and a custom JavaScript function to track input.

The Flawed Logic

The verificationCodeEntered function was designed to filter out non-numeric keys. However, it implemented this by explicitly returning early if the Shift key was pressed:

verificationCodeEntered(_, S) {
    if ("Shift" === this.lastKeyPressed) return;
    switch (S.key) {
      case "Control":
      case "Meta":
      case "Shift":
      case "v":
      case "r":
        return;
      // ... other cases
    }
    S.preventDefault();
    const O = Number(S.key);
    isNaN(O) ? (this.getInput(_).value = "") : this.setCode(_, String(O));
}

Because AZERTY keyboards require the Shift key to produce numeric characters, the S.preventDefault() and the explicit return on "Shift" blocked the actual numeric input from ever being processed. In contrast, QWERTY and QWERTZ layouts (the latter being the Swiss-French standard) do not require Shift for digits, which is why the bug remained undetected by most users and developers.

The "Chicken and Egg" Support Problem

The severity of the bug was compounded by a failure in the support infrastructure. Users unable to register were unable to report the bug because the only available support channel was a web form that required the same email verification process that was broken.

  • Support Gating: The official FAQ states that support is provided "exclusively through the creation of tickets online."
  • Circular Dependency: To create a ticket, the user must pass the verification code screen, which is the exact point of failure.
  • Lack of Alternatives: No email addresses or phone numbers were provided for technical support, leaving users with no way to notify the government of the failure.

Post-Mortem: Lessons in UI Resilience

The incident serves as a case study in the dangers of replacing native browser functionality with custom JavaScript logic.

Engineering Failures

  • Avoid Custom Input Logic: Using six separate input fields managed by JavaScript is less resilient than a single native browser form field styled with CSS. Native fields handle international keyboard layouts, autofill, and accessibility tools automatically.
  • DOM Decoupling: By decoupling the form logic from the DOM and relying on intercepted key presses, the system prevented advanced users or browser extensions from correcting the input via the developer console.
  • Single Point of Failure in Support: Coupling the support channel to the main product's login logic ensures that when the product breaks, the ability to report the bug also breaks.

Community Insights

Technical observers noted that this is a recurring pattern in modern web development. As one developer pointed out:

"Web developer classic: use Javascript to replace the native, working, internationally supported standard inputs with a different input mechanism that doesn't work."

Other users highlighted similar frustrations with "creative" date selection widgets and inputs that automatically submit upon the final digit, which can lead to verification failures if a typo is made.

Conclusion on Identity Verification

Beyond the technical bug, the investigation revealed that the initial AGOV registration process only validates that an email address exists and that a supported second-factor device (security key or approved app) is used. Basic identity details—name, phone number, and date of birth—are not verified during the initial account creation, suggesting that the system's primary strength is resilience against remote phishing rather than absolute identity proofing at the entry level.

Sources