I have several applications using the same database connection. 1 is for an iOS application that implements biometric login to access a longer lasting refresh token to quickly access the app. I want to introduce passkeys to a number of web applications that share the same database connection, but disable passkeys for the iOS app - as it is a redundant step. It would be great if we could control this in code.
@alexp1 how would the user access the app for the first time on a new device where there is no device reauth credential provisioned? You’d still need the user to sign in with a passkey, to then bootstrap the device reauth credential.
1 Like
MFA would still be enabled on all the applications - so the user can log in with a password, use an authenticator to prove their identity and then access the iOS app - at which point the app offers the biometric option (rather than auth0).
@alexp1 the goal of passkeys is to limit or eliminate password and phishable 2FA usage. Why wouldn’t the user sign into the app using their passkey the first time? Using phishable factors for sign in, when the user has a passkey, is a bit of an antipattern.
Hi @timokta. the issue is that the journey is confusing for the user on the iOS app, in that they are asked to create 2 passkeys - 1 immediately after the other. First the auth0 process asks them to create a passkey and then as soon as they have done that they are logged in to the app which asks them if they would like to use a passkey. The iOS passkey is the journey we want them to use on a daily basis, because it is native to the app as opposed to going out to the auth0 login page in a webview.