Web biometrics let users authenticate by using an authenticator device. For example:
The fingerprint scanner on a laptop or phone.
Communication with the authentication devices is handled by the SDK. You can configure the nodes in AM to request that the SDK activates authenticators with certain criteria. For example, the authenticator can be:
Built into the platform.
A cross-platform USB device.
You can also configure AM to request that the device verify the identity of the user, or that a user is present.
To use web biometrics, users must first register their authenticators. If recovery codes are enabled, users must also make a copy of their codes.
Registration involves the selected authenticator creating or minting, a key pair. The key pair is specific to the origin of the site that uses it. This helps fight against phishing attacks.
The public key of the pair is sent to AM and stored in the user’s profile. The private key is stored securely, either in the authenticator itself or in the platform managing the authenticators. The private key does not leave the client at any time.
When authenticating using web biometrics, AM sends a challenge to the authenticator, expecting it to use this challenge to create a signed assertion with its stored, private key.
The assertion is then sent to AM for verification using the public key stored in the user’s profile. If the data is verified as being from the correct device, and passes any attestation checks, the authentication is successful.
The device must have a biometric (platform) authenticator.
The OS must provide access to the platform authenticator via the API.
The browser must support WebAuthn capabilities, and support the OS’s platform authenticator’s API.
If any of the above prerequisites is missing, web biometrics will not work.
For more information on support in AM, see Minimum Web Authentication User Agent Versions in the AM documentation.