Configure WebAuthn with Device Biometrics for MFA

Configure WebAuthn with Device Biometrics for MFA

For an introduction to WebAuthn and how Auth0 implements it for both Security Keys and Device Biometrics, check out FIDO Authentication with WebAuthn.

Availability varies by Auth0 plan and login method

Both the login implementation you use and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read New Universal Login vs. Classic Universal Login and Pricing.

Use the Dashboard

Enable WebAuthn with Device Biometrics by going to Dashboard > Security > Multifactor Auth. You'll need to enable an additional factor, as it cannot be the only factor enabled.

Configure Relying Party

WebAuthn makes phishing impossible by binding the credentials with the browser's origin. Users can't use WebAuthn for a site they did not register too.

Binding credentials to the origin means if you configure a custom domain or change it, users enrolled before the change will not be able to authenticate.

WebAuthn defines a Relying Party ID attribute, which lets you specify the domain used to authenticate users. You can set it to any registrable domain suffix of the browser origin. For example, if the custom domain is accounts.acme.com, you can configure the Relying Party ID to acme.com. This lets users authenticate to any acme.com domain with their WebAuthn credentials.

Auth0 lets you specify the Relying Party ID only if you have a custom domain configured. If the custom domain changes, you must update the Relying Party ID.

Device recognition

When you enable WebAuthn with Device Biometrics, Auth0 will try to progressively enroll all of an end-user's WebAuthn-capable devices. Browsers with Javascript disabled or without WebAuthn platform authenticator support, won’t get the option to enroll or authenticate with Device Biometrics.

Since there's no deterministic way to know if a specific device was enrolled or not without challenging the user for WebAuthn, Auth0 relies on the user agent to decide what to do. The behavior depends on the operating system.

Windows and iOS 14.5+

On Windows and iOS 14.5+, the WebAuthn platform authenticator is registered at the operating system level. Users can enroll with one browser and login with any browser. If Auth0 detects that users have a device enrolled, they will get the option to authenticate with Face ID / Touch ID / Windows Hello. If they enrolled with that same device they'll be able to authenticate. If not, it will fail, and they'll need to use another authentication method.

macOS 

On Mac, the WebAuthn platform authenticator is registered at the browser system level. Users will be asked to enroll with WebAuthn in each browser they use. If Auth0 detects that the user has enrolled from Chrome on a Mac, they will get the option to authenticate with Touch ID when they login from Chrome on a Mac. If they enrolled from the same Mac, they’ll be able to authenticate.  If no, it will fail, and they'll need to use another authentication method. If they try to enroll from Safari in the same Mac, they will be asked to complete MFA with the other authentication method, and then prompted to enroll with Touch ID.

Android

On Android, only Chrome supports WebAuthn platform authenticators. If Auth0 detects that users have an Android device enrolled, they will get the option to authenticate with Android’s Fingerprint/Face Recognition. If they enrolled with that same Android device they'll be able to authenticate. If not, it will fail, and they'll need to use another authentication method.

Device support

The user must have another MFA enrollment activated before using device biometrics.

To use device biometrics keys, a browser needs to have JavaScript enabled and support WebAuthn Platform Authenticators. If those conditions are not met, Auth0 will not offer the option of enrolling or authenticating with the device. Auth0 will challenge the user with another factor.

The latest versions of popular browsers and operating systems provide support for WebAuthn with Security Keys. For more details, check out the browser support section in webauthn.me.

Limitations

  • There isn't a a way to enroll with WebAuthn device biometrics beyond the Progressive Enrollment prompt.

  • When using the MFA API you can list and remove WebAuthn enrollments, but you cannot enroll them.

  • Users can only enroll one device per type using WebAuthn with Device Biometrics (one phone, one tablet, one laptop/desktop). If a user wants to enroll another device of the same type, the first device must be unenrolled.

Learn more