WebAuthn with Biometrics

Published on August 23, 2022

Learning GoalLearn how to set up Multi-Factor Authentication (MFA) using biometrics as an authentication factor.

In this lab, you will:

Define an MFA Factor using device biometrics.
Define, apply, and test an MFA policy.

MFA with Biometrics

What is MFA?

When you configure Multi-Factor Authentication (MFA) to use biometrics as an authentication factor, your users will have to use their face or fingerprint to complete the login transaction. This interaction implies that your users can prove their digital identity by providing:

Something they know: your users know their login credentials.
Something they are: your users can show their faces or scan their fingerprints.

What are device biometrics?

Biometrics are measurable and unique human traits that applications can use to verify a person's identity, such as a person's face or fingerprints.

Biometrics can serve as a secure and convenient authentication factor, making Multi-Factor Authentication (MFA) as easy and fast as possible. The availability of mobile devices capable of reliably measuring human traits has grown exponentially, increasing the popularity of biometric authentication in enterprise and customer applications.

Developers enable end-users to use biometrics on web applications by implementing the Web Authentication API (WebAuthn), which is part of the FIDO2 standard. End-users can register their biometric devices with any application that supports the standard.

When users authenticate with WebAuthn, they can use something they are as an authentication factor, such as their face or fingerprint. Auth0 supports using biometrics to perform MFA. Let's see that in action!

Lab Setup

Required hardware

You need a device that can use your biometric information for access, such as a mobile device with face recognition or a fingerprint reader.

Create an Auth0 Account

If you already have an Auth0 account, you can log in to your tenant and continue to the next step.

Otherwise, sign up for a free Auth0 account.

Authentication For Developers

Get Auth0 by Okta for free with up to 7,500 active users and unlimited logins. No credit card required.

Authentication For Developers

Get Auth0 by Okta for free with up to 7,500 active users and unlimited logins. No credit card required.

Create a Free Auth0 Account→

During the sign-up process, you create something called an Auth0 Tenant, representing the product or service to which you are adding authentication.

Once you sign in, Auth0 takes you to the Auth0 Dashboard, where you can configure and manage the authentication services for your applications.

Define an MFA Factor

Before you start, it's important to note that biometrics are currently tied to a physical device. For example, if you use your smartphone to log in using its fingerprint reader, you can only use that smartphone to log in that way. In the context of MFA, if a biometric is the only second factor that your users have available to complete the authentication process, they won't be able to log in if they don't have the physical device that registered their biometric.

You can achieve a balance between security and usability by offering your users an alternative MFA factor whenever their device biometrics are unavailable. For that reason, Auth0 requires you to enable at least one other factor before enabling "WebAuthn with FIDO Device Biometrics" as an authentication factor. You are all set up if you have already completed any of our other MFA labs. Otherwise, please complete either the "Enable MFA with SMS" or the "WebAuthn with FIDO Security Keys" lab.

Enable WebAuthn with FIDO Device Biometrics

Follow these steps to configure the "WebAuthn with FIDO Device Biometrics" factor:

Head to the Auth0 Dashboard.
Locate the "Security" section on the left-hand menu.
Under this section, click the "Multi-factor Auth" sub-section.
Click the "WebAuthn with FIDO Device Biometrics" option under the "Factors" list to open its configuration page.
There's not much more to do other than clicking the toggle button to enable this factor, which turns the button green.

You will get a toast notification with the following message: "WebAuthn with FIDO Device Biometrics is now enabled."

Define an MFA Policy

Once you have configured your MFA factor, click the "Back to Multi-factor Authentication" link at the top of the page.

Once you are back on the "Multi-factor Authentication" page, scroll past the "Factors" section and locate the "Define policies" section. Recall that an MFA policy determines when Auth0 will prompt your users to provide additional authentication factors to log in successfully. You must define a policy to enforce MFA in your applications.

Looking at the "Require Multi-factor Auth", you'll notice that "Never" is the default selection. This selection means that Auth0 will never require users to authenticate using an additional factor for any application registered under your Auth0 tenant.

That never behavior is the exact opposite of how you want your login flow to behave after setting up the "WebAuthn with FIDO Security Keys" factor. To make your MFA strategy effective, you will need to select "Use Adaptive MFA" or "Always".

For this exercise, select "Always" to always require an additional authentication factor to log in. Then, click the "Save" button.

You will get a toast notification with the following message: "Successfully updated MFA Policy".

Depending on the security needs of your organization and users, you may also consider Adaptive MFA. Learn more about how Adaptive MFA works.

Did you get a warning about enabling MFA?

You may see a modal warning you about the possible consequences of always requiring MFA:

All new and existing users who are not enrolled in Multi-factor Authentication will be required to enroll using one of the enabled factors the next time they log in. This will apply across all applications within your tenant.

If it shows up, click the "Continue" button.

Test Your MFA Strategy with Device Biometrics

Use the Auth0 Dashboard to log in

Instructions

Visit the Auth0 Dashboard home page.
Locate the "Try your Login box" under the "Next Steps" section.
Click the "Try it out" link.
Log in using any of the available login options.

Expected results

The Auth0 Universal Login page should prompt you to use two authentication factors to complete your login—or sign-up:

If you sign up, you need to provide...
- Something you know: You must create a username/password combination or use a social login provider like Google (if you have enabled that feature in your Auth0 tenant).
- Something you have: You could enroll a security key or an authenticator application, for example.
- Something you are: You'll have to enroll your face or a fingerprint.
  - Notice that this is optional. Auth0 will ask you if you'd like to enroll your device biometrics to log in faster the next time.
If you log in, you need to provide...
- Something you know: You must use a username/password combination or a social login provider like Google.
- Something you are if you enrolled your device biometrics: You'll have to show your face or scan your fingerprint.
- Something you have, as an alternative to device biometrics: You'll have to connect and tap your security key or enter a One-Time Password (OTP) from an authenticator application.

Recap

You have effectively set up MFA, reducing the likelihood of many cyber-attacks. It's common for third parties to steal usernames and passwords or programmatically attack user accounts. An additional MFA factor, such as WebAuthn with FIDO Device Biometrics, impedes these violations, protecting the data and privacy of your users.

You can also configure the Auth0 Universal Login to let users authenticate using WebAuthn with Device Biometrics instead of a password. Try it out!

A user gets the option to use device biometrics or a password to log in.