WebAuthn with FIDO Device Biometrics for MFA in Beta

The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows users to authenticate using public key cryptography instead of a password.

Authenticating with WebAuthn

WebAuthn allows users to authenticate using two kinds of authenticators:

  • Roaming authenticators are removable (such as a Yubikey), cross-platform and can be used on multiple devices. To authenticate with a roaming authenticator, you need to connect it to the device, provide proof of presence (e.g., touching it), and enter a PIN (optional).
  • Platform authenticators are attached to a device (such as a MacBook TouchBar, Windows Hello, iOS Touch/FaceId, Android’s fingerprint/face recognition implementations). They only work on that device.

WebAuthn with Device Biometrics - Public Beta

Auth0 considers Platform/Roaming authenticators as two different factors that can be enabled independently and will have different enrollment flows. Auth0 already supports Roaming Authenticators.

The Auth0 implementation of platform authenticators is called WebAuthn for Device Biometrics, and it is now in Public Beta. When released, it will be available for Auth0 tenants that have the Enterprise MFA add-on.

Note: WebAuthn will only work when the New Universal Login experience is enabled.

The WebAuthn with FIDO Device Biometrics is now shown as a new factor on the Enterprise MFA Settings page:

To enable users to authenticate with multiple devices, Auth0 will prompt users to enroll them when they support WebAuthn device biometrics.

In the example below, the user is enrolled with their iPhone after authenticating with the first MFA factor. The next time they login from that device, they’ll be able to complete MFA with Face ID.

Learn more about how to configure WebAuthn with Device Biometrics in the documentation.

How does this affect you?

Enterprise Auth0 tenants with the MFA add-on and New Universal Login Experience can allow users to perform MFA with FIDO-compliant WebAuthn device biometrics.


1 Like

Very interesting feature! Is there a way to evaluate this new functionality before actually purchasing an Enterprise license?

Hi @TDC,

I’ll reach out to your account representative for you to see what is possible! Also, you can create a new tenant to see enterprise features during its trial period.

This topic was automatically closed 27 days after the last reply. New replies are no longer allowed.