Enable/disable WebAuthn (biometrics) per user based on user_metadata or some other flag?

Get Help
,
1

Hi everyone,

I’m working on a mobile application using Universal Login (New Experience), and I’m trying to determine whether it’s possible to dynamically enable or disable WebAuthn (device biometrics) per user based on a flag stored in user_metadata (or via any other supported mechanism).

Desired Behavior

We would like the flow to work as follows:

  1. User logs in for the first time (username + password).

  2. User enrolls in MFA.

  3. User is prompted to enable WebAuthn (webauthn-platform).

  4. User logs out.

On the next login:

  1. User enters their username.

  2. If biometrics are enabled, the user can authenticate using WebAuthn only.

    • We are currently skipping MFA via a Post-Login Action when WebAuthn is used.

Later:

  1. The user disables “biometric login” in their profile settings inside the app.

    • This updates a flag in user_metadata, e.g. biometric_enabled = false.

  2. User logs out.

On the following login:

  1. User enters their username.

  2. WebAuthn should NOT be requested.

  3. Standard login + MFA should be required again.

Based on this example, could you please clarify if it is possible to dynamically control WebAuthn availability per user (based on metadata) when using Universal Login?

Thank you!

3

Hi @somnio-bf

Welcome to the Auth0 Community!

Please allow me some time to research this and I will be back with some information.

Best regards,
Gerald