Overview
This article explains one possible reason for Login with Biometrics is not always prompted on enrolled devices.
Symptoms of the issue are the following:
- HAR file shows redirection to /u/login/password.
- In tenant logs, the “Guardian - First factor authentication succeed (webauthn)” log does not always accompany the “Success Login” log.
Cause
The heuristic used to detect if biometrics should be prompted is based on the user agent and the DID cookie. The DID cookie is used as a way to prevent user enumeration.
This issue can be reproduced by deleting the DID cookie from the tenant domain in the browser. This causes the authentication process to request a password instead of biometrics. After logging in successfully with the password, the next login prompts for biometrics as long as cookies are not deleted.
NOTE: This can also be reproduced by selecting Non-persistent Session in the Advanced Tenant Settings and closing the browser.
Solution
Users should leave the DID cookie on the tenant domain in place to ensure that they are prompted for login with biometrics. After clearing cookies, complete one successful password login to be prompted for biometrics login next time.