Overview
Currently Auth0 offers the ability to use biometrics during login and for MFA. This article will outline some of the differences with each of these approaches.
Applies To
- Login
- MFA
- Biometrics
- Authentication Profile
Cause
Confusion can occur when choosing how to implement biometrics because it is available as a factor for both the login and for MFA, and each approach has different implications.
Solution
The characteristics of each biometric authentication method should be considered before implementation.
Identifier First + Biometric Login
This method is harder to customize because it cannot use the Post-Login Actions trigger.
- Enforcing this login method only in certain situations, such as for a subset of users within a specific database connection, is not supported out of the box.
- When a user enrolls in biometric login, they are not prompted for Biometric MFA or any other MFA factor after authenticating.
- An enrolled user skips both password input and any MFA factors configured for that user.
- For more details, see the documentation on Passwordless Login with WebAuthn and Device Biometrics.
Biometric MFA
This method can be heavily customized using Post-Login Actions. For example, it can be configured to be enforced only in specific situations or for specific application instances. For more information, refer to the guide on how to Configure WebAuthn with Device Biometrics for MFA.