ForgeRock SDKs

What are mobile biometrics?

Mobile biometric authentication lets users authenticate by using a mobile device’s biometric authenticator. Communication with the platform authenticator, such as fingerprint reader or facial recognition system, is handled by the SDK. The SDK communicates with AM to perform biometric registration and authentication using WebAuthn nodes. You can configure the nodes in AM to request that the SDK activates authenticators with certain criteria.

To enable mobile biometrics, the user’s authenticator must first be registered through an authentication journey with the WebAuthn Registration node. Registration involves the selected authenticator creating a key pair. This key pair is specific to the origin of the application performing the authentication. The private key is used to sign the challenge from AM and create attestation for the authenticator.

The public key of the pair is sent to AM and stored in the user’s profile. The private key is securely stored within the mobile device’s and never leaves the device at any time.

When authenticating using mobile biometrics, the registered user encounters the WebAuthn Authentication node via an authentication journey. A challenge from AM is created and sent to the user’s device. The device then signs an assertion from that challenge with its stored, private key. This assertion is then sent to AM for verification using the public key stored in the user’s profile. If the data is verified as being from the registered authenticator and passes attestation checks, the authentication is considered successful.

Copyright © 2010-2022 ForgeRock, all rights reserved.