Disable biometric login for one application in shared tenant

danielle.delooze · March 26, 2025, 6:45pm

Hi!

I’ve got a question about configurability of biometrics login.

Our company has a tenant that we use for our external users for an external facing web application. We are working on creating a mobile app that has an application in this same tenant in order to shared login/user information between both the mobile app and web app.

It’s a requirement for this app to be able to use biometric login, so we’ve enabled “Identify First + Biometrics” as our Authentication Profile in this tenant. This provides the intended UX in our mobile app.

However, we don’t necessarily love the UX for this in the web application. Our ideal would be to only allow username/password for web. But we can’t pick two different authentication profiles on a per app basis.

Is there a way that I am missing to only enable biometrics as an option on one app within a tenant? If not, is there a best practice way to achieve two different login UX with the same user base?

Thanks!

nik.baleca · March 26, 2025, 9:19pm

Hi @danielle.delooze

Welcome to the Auth0 Community!

You can enable the biometrics to be only app specific, however, you will need to switch the authentication profile back to Identifier + Password and enforce MFA through actions.

For the MFA Policy, you will need to select Never and enable Customize MFA factors using Actions under Additional Settings.

Once you have done this, you can use the following code inside an action:

exports.onExecutePostLogin = async (event, api) => {
if(event.authorization){
  
//Or you can use event.client.name === "{{App_Name}}"
if(event.client.client_id === "{{Client_ID")
  {
    api.multifactor.enable('none');

    return;
  }
//enforce MFA through FIDO Biometric if user is enrolled
  if(event.user.enrolledFactors.length){
        api.authentication.challengeWith({ type: 'webauthn-platform'}); 
  }
  else{
//enroll user for FIDO Biometrics if not enrolled
    api.authentication.enrollWith({ type: 'webauthn-platform'}); 
  }

}

};

The following code will not work when using the Identifier + Biometrics authentication profile since it will prompt the user for the biometrics even if the action disabled it.

Let me know if you need any extra help or if you have any other questions!

Kind Regards,
Nik

system · April 9, 2025, 9:19pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Allow Biometric Login Without MFA on Mobile, Restrict MFA on Desktop Get Help mfa , mfa-api	5	25	March 25, 2025
Disable WebAuthn for specific applications Product Feedback signup , biometrics , webauthn , identifier-first-biometrics	1	953	September 7, 2023
Create two applications, each with a different authentication method, in a single tenant Get Help auth0 , authentication	3	3833	March 6, 2021
Identifier First + Biometrics Enabled but not users are not able to choose biometrics for login Get Help login-experience , new-universal-login-experience	2	102	October 31, 2024
Can I configure MFA for a particular application not for all? Get Help mfa , one-time-password-otp-factor	6	1694	April 28, 2023

Disable biometric login for one application in shared tenant

Related topics