Problem Statement
We have Identifier First + Biometrics enabled. But users are not prompted to enroll in biometrics after signing up.
We have a rule to conditionally prompt for MFA.
//rule logic to determine verify_mfa
if (verify_mfa) {
context.multifactor = {
provider: 'any',
allowRememberBrowser: false
};
} else {
context.multifactor = {
provider: 'none',
allowRememberBrowser: false
};
}
Troubleshooting
- Verified using New Universal Login
- HAR file shows in the /identifier request that
js-available: true
andwebauthn-available: true
, meaning that the device should support biometrics. - MFA is set to Never, and the Biometrics option is enabled.
Solution
Putting context.multifactor = { provider: ‘none’ } in a rule will prevent the Identifier First + Biometrics
from having any users get prompted to enroll in biometrics even if biometrics is intended as a passwordless option. Therefore, please remove provider: 'none'
.