Configure WebAuthn with Device Biometrics for Passwordless Authentication

You can configure Universal Login to let users authenticate using WebAuthn with Device Biometrics instead of a password.

WebAuthn with Device Biometrics is the most secure and usable authentication factor that's available today, greatly reducing login friction without sacrificing security.

Prerequisite

To enable Passwordless with WebAuthn Device Biometrics, you need to:

  1. Make sure the New Universal Login experience is enabled and that the HTML for the login page is not customized in Dashboard > Universal Login.

  2. Select Identifier First + Biometrics in the Dashboard > Authentication Profile. This will automatically enable WebAuthn with Device Biometrics in the Multi-Factor authentication section if it is not enabled yet.

How does it work

After you enable the feature, users that authenticate with username/email and password and have a device that is capable of using WebAuthn with Device Biometrics, will be given the option of enrolling their device:

Example of setting up a Face ID login for specific domain using WebAuthn

If they decide to enroll it, the next time they authenticate from that device they'll be given the option of using their device biometrics or a password:

Example of using Fingerprint or Face Recognition to login to a domain

We call this feature 'progressive enrollment', and it's designed to make the transition to WebAuthn-based authentication easy as possible for both developers and users.

Multi-Factor Authentication

WebAuthn with Device Biometrics allows avoiding requiring another authentication method for performing multi-factor authentication. WebAuthn with Device Biometrics combines two factors in one: something you have (the device), and something you are (biometrics) or something you know (the passcode).

This has several consequences:

  • When you enable MFA in the dashboard, Auth0 will not prompt for MFA if users authenticated with WebAuthn w/Biometrics as first factor.

  • When MFA is enabled and users create a new account, they will:

    • Create a user with a username/password.

    • Enroll in MFA, with a non-biometrics authentication method, so they can complete MFA on any device.

    • Optionally enroll with Device Biometrics.

The next time they log in, they can log in with password + another authentication method or with device biometrics.

  • When users authenticate using WebAuthn Biometrics as their only authentication method, the amr value in the ID Token will be set to mfa.

  • If you want to enable MFA from our extensibility platform, you’ll be able to consider how users authenticated to decide if they should be prompted for MFA or not. The rule below will only perform MFA if the user did not authenticate with the webauthn-platform authentication method:

function (user, context, callback) {
  let authMethods = context.authentication.methods;

  const amr = authMethods.find((method) => method.name === 'webauthn-platform');

  if (!amr) {
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
  }
  return callback(null, user, context);
}

This post-login action will have the same effect:

exports.onExecutePostLogin = async (event, api) => {
  let authMethods = event.authentication.methods;

  let amr = authMethods.find((method) => method.name === 'webauthn-platform');

   if (!amr) {
     api.multifactor.enable('any');
  }
};

Learn more