Biometrics MFA enabled, but seeing error "No confirmed authenticators for the enabled factors"

Problem statement

We are running into an issue where at least one user we know of is is not able to sign into an application. When reviewing the logs for the user we are seeing this error “No confirmed authenticators for the enabled factors”. Our understanding of this error is that it has something to do with multi-factor authentication.

Cause

When using WebAuthn + Device Biometrics for MFA, you would want to have another MFA factor enabled (which isn’t email). This is because the WebAuthn factor is tied to a specific device and browser, in other words, you can only use this factor on the same device+browser where you originally enrolled. Also, not all devices and browsers support WebAuthn. Therefore, WebAuthn can’t really be used as an only factor. Instead, you can think of it as something you can use in place of another enrolled factor as a convenience feature.

The way Auth0 approaches WebAuthn is that initially, the user enrolls in another MFA factor - say, SMS. Then, once they have submitted their SMS code, Auth0 will offer to enroll in WebAuthn, which once confirmed, will then be used on that device+browser in place of SMS. Auth0 will do this for every device+browser the user has until all compatible browsers are enrolled in WebAuthn. You can read more about it here:

In this case, the only factor enabled other than WebAuthn is email, so Auth0 tries to initially prompt the user for email MFA. However, the email can’t be used as an MFA factor until the user verifies the email, which results in the error you see. As soon as the user verifies the email, the flow can be completed.

Solution

To resolve this, you would need to enable another factor other than email. Auth0 does not consider email to be “true” MFA because it doesn’t represent a different factor than the user’s password (which can be reset via email):

Therefore, we don’t support using it primarily.