Introduction

As the use of web applications and cloud services increases, the number of passwords handled by users themselves is also on the rise. As a result, there are many cases of using simple passwords that are easy to remember and using the same password for multiple services, which may lead to unauthorized logins. For example, the Verizon Data Breach Investigations Report (2022) shows that more than 80% of attacks against web applications result from stolen credentials.
Passwordless login using biometric authentication has been attracting attention in recent years as a solution to the problem of password authentication. Auth0 supports passwordless authentication by device biometric authentication using Web Authentication API (commonly known as WebAuthn). WebAuthn is a specification established by W3C and FIDO, and performs user authentication using public key cryptography. When the user authenticates, Windows Hello or Touch ID is used to match the biometric information (face, fingerprint, etc.) registered in the device (authentication device) itself. Credentials are only stored on the device side and not on the service side, providing a high level of security.
In addition to security, it also contributes to improved convenience for users and reduced man-hours for administrators. For example, users can log in without entering passwords, and administrators do not need to reset passwords.
While biometric authentication is very attractive, there are high hurdles to implementing functions from scratch in a service. Auth0 has a function that realizes passwordless authentication using device biometrics, and it can be implemented with no code.

This page introduces the setting method and actual login operation for passwordless authentication using device biometric authentication by Auth0.

premise

The information on functions and settings described on this page is current as of February​ ​2023.

Notes

setting

1. Passwordless login setting using device biometric authentication

• On the Auth0 administration screen, click [Authentication] > [Authentication Profile]

• Select [Identifier First + Biometrics] and click [Save]

• A pop-up will appear to enable device biometric authentication as an MFA factor, so click [Confirm]

* If you have enabled "WebAuthn with FIDO Device Biometrics" in [Security] > [Multi-factor Authentication], the popup will not be displayed.

operation check

Using Windows Hello as the device biometric authentication and Google Chrome as the web browser, passwordless login operation is confirmed.

1. Sign up

• Access the sample application (http://localhost:3000) with a web browser and click [Log in]

• Click [Sign up] to add a new account

• Enter your email address and click Continue

• Enter any password and click [Continue]

• You will be asked to register the device biometric authentication, so click [Continue]

• Biometric authentication registered on the device is required, so perform authentication

*In the example below, biometric authentication is performed using Windows Hello.

• After successful biometric authentication, click [Continue]

• Confirm that you have successfully logged into the application

2. Login

• After logging out from the application, click [Log in] again

• Enter the email address you registered when you signed up and click Continue

• Since biometric authentication is required, click [Continue]

• Perform biometric authentication

• Confirm that you were able to log in to the application without a password

in conclusion

With Auth0, you can easily implement passwordless login with device biometric authentication. Please use this function to improve security and user usability.
If you are interested in passwordless authentication realized by Auth0, please contact us.

reference

• Configure Universal Login with Passwordless - Auth0 docs
• Configure WebAuthn with Device Biometrics for Passwordless Authentication - Auth0 docs
• Realization of passwordless login by Auth0 Passwordless Connections function