Configure WebAuthn with Device Biometrics for MFA
For an introduction to WebAuthn and how Auth0 implements it for both Security Keys and Device Biometrics, check out FIDO Authentication with WebAuthn.
Availability varies by Auth0 plan and login method
Both the login implementation you use and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read New Universal Login vs. Classic Universal Login and Pricing.
Use the Dashboard
Enable WebAuthn with Device Biometrics by going to Dashboard > Security > Multifactor Auth. You'll need to enable an additional factor, as it cannot be the only factor enabled.
Configure Relying Party
WebAuthn makes phishing impossible by binding the credentials with the browser's origin. Users can't use WebAuthn for a site they did not register too.
Binding credentials to the origin means if you configure a custom domain or change it, users enrolled before the change will not be able to authenticate.
WebAuthn defines a Relying Party ID attribute, which lets you specify the domain used to authenticate users. You can set it to any registrable domain suffix of the browser origin. For example, if the custom domain is accounts.acme.com, you can configure the Relying Party ID to acme.com. This lets users authenticate to any acme.com domain with their WebAuthn credentials.
Auth0 lets you specify the Relying Party ID only if you have a custom domain configured. If the custom domain changes, you must update the Relying Party ID.
Since there's no deterministic way to know if a specific device was enrolled or not without challenging the user for WebAuthn, Auth0 relies on the user agent to decide what to do. The behavior depends on the operating system.
Windows and iOS 14.5+
On Windows and iOS 14.5+, the WebAuthn platform authenticator is registered at the operating system level. Users can enroll with one browser and login with any browser. If Auth0 detects that users have a device enrolled, they will get the option to authenticate with Face ID / Touch ID / Windows Hello. If they enrolled with that same device they'll be able to authenticate. If not, it will fail, and they'll need to use another authentication method.
On Mac, the WebAuthn platform authenticator is registered at the browser system level. Users will be asked to enroll with WebAuthn in each browser they use. If Auth0 detects that the user has enrolled from Chrome on a Mac, they will get the option to authenticate with Touch ID when they login from Chrome on a Mac. If they enrolled from the same Mac, they’ll be able to authenticate. If no, it will fail, and they'll need to use another authentication method. If they try to enroll from Safari in the same Mac, they will be asked to complete MFA with the other authentication method, and then prompted to enroll with Touch ID.
On Android, only Chrome supports WebAuthn platform authenticators. If Auth0 detects that users have an Android device enrolled, they will get the option to authenticate with Android’s Fingerprint/Face Recognition. If they enrolled with that same Android device they'll be able to authenticate. If not, it will fail, and they'll need to use another authentication method.
The user must have another MFA enrollment activated before using device biometrics.
The latest versions of popular browsers and operating systems provide support for WebAuthn with Security Keys. For more details, check out the browser support section in webauthn.me.
There isn't a a way to enroll with WebAuthn device biometrics beyond the Progressive Enrollment prompt.
When using the MFA API you can list and remove WebAuthn enrollments, but you cannot enroll them.
Users can only enroll one device per type using WebAuthn with Device Biometrics (one phone, one tablet, one laptop/desktop). If a user wants to enroll another device of the same type, the first device must be unenrolled.