On Android, when a user taps a link in Gmail, it opens in Gmail’s in-app browser. This creates a critical problem with email-based OTP authentication.
The flow:
- User receives a lifecycle email with a link to our website
- User taps link → opens in Gmail’s in-app browser
- User enters their email address, is prompted for an OTP code
- OTP is sent to the user’s email
- User needs to go back to Gmail to read the OTP
- Going back to Gmail closes the in-app browser — the page waiting for OTP input is lost
- User has no way to return to the OTP input page, opening the original links loses original context and resets OTP
The user is stuck. They can see their OTP code, but the page that needs it is gone.
This affects any web application that uses email-based OTP and is accessed via a link in Gmail on Android.
Is there any way to:
- Indicate to Gmail that a link should open in the device’s default browser rather than the IAB?
- Allow the IAB to persist when the user navigates back to Gmail, rather than closing?
- Reliably detect the Gmail IAB via user agent or other means?
This feels like a gap in the Chrome Custom Tab implementation within Gmail — the single-context nature of the IAB is fundamentally incompatible with any authentication flow that requires the user to check their email.