WebAuthn as Multi-Factor Authentication

When users authenticate with WebAuthn, they use something they have as an authentication factor: a security key, or a device.

Both Security Keys and Device Biometrics support user verification, which requires users provide something they know (a PIN or a passcode) and something they are (like biometric traits).

When using Device Biometrics, user verification is always performed. To perform verification with Security Keys, you need to configure Auth0 to require a PIN. Then users will be asked to enter a PIN, which is only stored in the security key, to complete authentication. Now when user verification is performed, users can login with WebAuthn as the only authentication method to achieve multi-factor authentication.

By using WebAuthn for authentication combined with user verification, you not only replace the password with something much simpler to use, you also remove the need of having another authentication step when requiring MFA.

Auth0 maintains webauthn.me, which has detailed information about WebAuthn and an up-to-date list of browsers supporting WebAuthn.