Over the years, how you prove your identity and login to websites has changed. From using only a password, using a password plus a code sent your mobile device, using authenticator apps, to even going passwordless by having an email sent to you and logging in there. Each iteration is an attempt to keep your identity safe and secure.
WebAuthn was announced as the recommended standard for passwordless login in recent years. WebAuthn is a browser-based API that allows secure user authentication by using registered devices (phones, laptops, etc.) as authentication factors. This blog post will show you how fast you can enable device biometrics for your users to log in using the Auth0 dashboard.
What You'll Need
To enable and test out fingerprint authentication, you will need a few things:
- Auth0 Account. Sign up for a free Auth0 account if you don't have one.
- Any application that uses your Auth0 tenant to provide Universal Login. Any web-based, mobile, or desktop application will do, just as long as it is one of your tenant's applications. If you don't have any applications that use Auth0 for authentication, you can download one from the Auth0 Quickstarts page.
- WebAuthn Compatible Device A computer or smartphone with biometrics built-in (Touch ID on Mac, for example).
Enable Biometric Login Flow
On the left-side menu of the Auth0 dashboard, click Authentication>Authentication Profile. The Authentication Profile page is where you choose how users will authenticate their identity when logging in to your application.
You'll have the option to choose between three different login flows:
- Identifier + Password
- a single login screen that asks for the username and password.
- Identifier + First
- has two screens. One for the users to enter an identifier, then another screen for the password.
- Identifier First + Biometrics
- allows users to sign in using face or fingerprint recognition instead of a password.
Click Identifier First + Biometrics then click Save. This sets the login box to ask for an identifier first, like an email address, then ask for the biometrics identifier like a fingerprint.
After a device is registered for authentication, this creates a secure relationship between the application and the device, allowing users to login in a secure manner. Click Confirm on to enable Webauthn device biometrics.
The following user who logs in or signs up will be prompted to enroll their device for quick and secure login. Let's test out this flow from the users' perspective.
Learn more about WebAuthn and test out using hardware authentication with the interactive demo on webauthn.me. A site maintained by Auth0.
Test WebAuthn Enrollment
The fastest way to test this is right on the Authentication Profile page. In the upper right-hand corner, click Try.
This will bring up the Auth0 universal login box. You'll log in with a username and password as normal. Once those credentials are verified, you'll be met with the "Login in faster on this device" prompt. Which lets you know that you use your fingerprint or face recognition to log in. Click Continue
Clicking continue brings up a prompt from your device alerting you that your browser is trying to verify your identity. You then register your fingerprint using something like Touch ID if you're using a Mac.
Finally, it will ask you to name your device; click Continue the next screen lets you know that the device is successfully registered.
Once a device is registered, the user will no longer log in with a password. They will enter their email address and log in with their fingerprint! How cool is that?
Users can still log in with their password as a backup.
Benefits of WebAuthn
Using WebAuthn for passwordless login has many benefits.
- Customers don't have to worry about remembering passwords or requesting passcodes to be sent to a separate device
- Removes barriers to customers to sign in/up for applications
- Lower risks of impersonating identity because it's hard to steal a device where the biometrics are stored.
- Maintain customer trust by using a secure authentication method
Conclusion
Moving towards more advanced authentication methods like WebAuthn is a great way to delight your users and build trust in your company. Keeping users safe from potential security exploits is a hard job. Data breaches are becoming common. Auth0 is staying up to date with web security standards and creating solutions that integrate seamlessly into your application.
To learn more about WebAuthn and how to use it with Auth0, check out the FIDO Authentication with WebAuthn Docs
