Overview
On mobile, if biometrics are not enabled, the expectation is that a password will be used. However, instead we are being asked for a PIN/pattern. What controls this authenticator?
Solution
In the browsers, there is a web API used for determining if Auth0 can perform webauthn with a “platform authenticator”. Auth0 does not have control over that platform authenticator. For most use cases, this will be touch ID or face ID, depending on the operating system. If the operating system decides not to use the biometrics of the device (perhaps biometrics is disabled on the device), a PIN code or some other type of local authentication configured can be performed. That is entirely done on the device and OS itself, and Auth0 has no control over this aspect.