Hello,
I want to enable biometric sign-in in my app, but apparently, enabling biometric sign-in also enables Windows Hello and other PIN-based methods, depending on the OS.
For my usage, it’s not safe enough to let my users skip the MFA using a PIN. But I want my mobile users to skip the MFA using a biometric method.
For my understanding, it’s not possible to enable/disable specific biometric methods because it’s in the control of the OS.
Because the app has two versions, one for the web and one for mobile (app store/Google Play), I was wondering if it’s possible to distinguish between the two and let only mobile users skip the MFA using the biometric approach.
That way, my desktop-users will have the regular sign-in with their MFA instead of the biometric login.
It’s worth noting that a user could log in both on the desktop and mobile.
The WebAuthn with FIDO Device Biometrics enrolls a device’s lock-screen unlock method. It’s up to the user to choose which unlocking method he chooses.
To distinguish between OSs you can use an Action where you check the event.request.user_agent’s value for example “Android” or “Mac OS X” and use this information accordingly.
If you have any other questions feel free to let us know.
I have a follow-up question: Is there a way to enforce biometric sign-in? We want to prevent users from accessing our app with weaker authentication methods such as PIN.
Ideally, users with FaceID / Fingerprint authentication would be able to use those methods, while those without biometric capabilities / those who choose to do so, should be directed to MFA instead.
Unfortunately there is no way to enforce biometric fingerprint or face recognition sign-in and deny PIN or any other similar unlocking method. It will only ask the user for the information required to unlock the screen, whichever one the user chooses.
As stated in the docs the device biometrics lets you choose between providing what you are (fingerprint or FaceID) and what you know (PIN or Pattern).