The MFA Enrollment Screen for WebAuthn with Device Biometrics is Not Displayed

Problem statement

This article explains potential causes when the MFA enrollment screen for WebAuthn with Device Biometrics is not displayed on WebAuthn-capable iPhones.

Cause

MDM disables the iCloud Keychain of the iPhone, leading to Auth0 recognizing the iPhone as incapable of Device Biometrics. As a result, the MFA enrollment screen for WebAuthn with Device Biometrics is skipped.

In the case of iOS, it relies on iCloud Keychain as a Passkey store.

A. If Password and Keychain is turned on, or if Password and Keychain is turned off and an external password manager such as 1Password is installed on the device, iCloud Keychain or an external password manager is used as Passkey store. In this case, the MFA enrollment screen for WebAuthn with Device Biometrics is displayed.

B. If Password and Keychain is turned off, and no external password managers are installed on the device, the user gets prompted to turn on the Password and Keychain . In this case, the MFA enrollment screen for WebAuthn with Device Biometrics is displayed.

C. If MDM (e.g., Miradore) disables Password and Keychain and Password and Keychain is not displayed on Settings > User name > iCloud, this setting cannot be turned on the user’s end. In this case, the MFA enrollment screen for WebAuthn with Device Biometrics is NOT displayed.

Solution

At this point, there are approximately three possible workarounds

  1. Consider removing iCloud Keychain restrictions via MDM
  2. Install an external password manager on the device that can be used as an alternative to iCloud Keychain
  3. Consider a different MFA factor in the login flow other than WebAuthn with Device Biometrics

Note : To use passkeys, iOS 16, iPadOS 16, macOS 13, or tvOS 16 (or later) is required. iCloud Keychain and two-factor authentication must also be turned on. Use passkeys to sign in to apps and websites on iPhone - Apple Support