Enable/disable WebAuthn (biometrics) per user based on user_metadata or some other flag?

Hi everyone,

I’m working on a mobile application using Universal Login (New Experience), and I’m trying to determine whether it’s possible to dynamically enable or disable WebAuthn (device biometrics) per user based on a flag stored in user_metadata (or via any other supported mechanism).

Desired Behavior

We would like the flow to work as follows:

1. User logs in for the first time (username + password).

2. User enrolls in MFA.

3. User is prompted to enable WebAuthn (webauthn-platform).

4. User logs out.

On the next login:

5. User enters their username.

6. If biometrics are enabled, the user can authenticate using WebAuthn only.

   • We are currently skipping MFA via a Post-Login Action when WebAuthn is used.

Later:

7. The user disables “biometric login” in their profile settings inside the app.

   • This updates a flag in user_metadata, e.g. biometric_enabled = false.

8. User logs out.

On the following login:

9. User enters their username.

10. WebAuthn should NOT be requested.

11. Standard login + MFA should be required again.

Based on this example, could you please clarify if it is possible to dynamically control WebAuthn availability per user (based on metadata) when using Universal Login?

Thank you!

Hi @somnio-bf

Welcome to the Auth0 Community!

Please allow me some time to research this and I will be back with some information.

Best regards,
Gerald

Hi @somnio-bf

Thank you for your patience!

Reading through your use-case, I would say that it should definitely be possible to dynamically set the behaviour of WebAuthn based on user_metadata with the use of Post-Login Trigger.

The flow design that you suggested speaks for itself I should say:

• Steps 1-6: Normal Universal Login flow of a new user account creation and them being prompted to enroll in MFA factors. Their user_metadata flag biometric_enabled = true should be set sometime this point by your application making a call to the Management API’s Update a User endpoint, once the user enables WebAuthn. I recommend reading through out Support Article on How to Enable MFA for a Subset of Users;

• Step 7: Your application will make the call to the Update a User endpoint to set biometric_enabled = false. I can recommend the following Article that goes over how to Enable MFA per User and Give Users the Option to Turn It On/Off Themselves, which is a great suit for your case;

• Steps 8-11: User authentication flow will be handled via another Post-Login Action that reads the flag in the user_metadata and conditionally handles MFA/WebAuthn prompts.

Allow me to provide some additional resources that can provide more information for implementing your desired flow:

• Using Actions to Customize Your MFA Factors;
• Configure WebAuthn with Device Biometrics for Passwordless Authentication.

Hopefully this helps you tinker with the flow until it is exactly as intended for your use-case, but do let me know if you encounter any roadblocks along the way.

Freely reach out to us for any other issues or requests and we will be glad to help!

Have a great one,
Gerald

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.