Exclusively use biometrics

[PHR1990]

Hello!

I am currently trying to use webauthn in a project.
One of the requirements we have is to ONLY allow biometrics authentication. And apparently webauthn defaults to PIN when either a user cancels the biometrics popup or if there is no biometrics available in the user's device.
Is there a way to only allow for biometrics? Looking at the library and webauthn examples I couldn't see how does it even differentiate from one another (if at all).
Perhaps there is some way to check if there is biometrics available in the device?

[MasterKale]

Hello @PHR1990, this is a common request from certain types of RP's (e.g. financial websites) and I understand where you're coming from. You'll be disappointed to hear that WebAuthn doesn't allow that level of control over how a user performs user verification.

The rationale I've heard is that biometric is only ever a convenience over having to enter a PIN. The PIN is fundamental protection in FIDO land, and authenticators that offer biometric always have a PIN/password of some kind as a fallback that can be entered instead when biometrics aren't available for whatever reason. Thus there's no way to truly go "biometric only" because you can't register a biometric without first establishing a PIN.

The uvm (User Verification Method) extension is supposed to help RP's like you understand how the user performed user verification, but in practice I've yet to find a browser + authenticator combo that will support this extension.

[aseigler]

The uvm (User Verification Method) extension is supposed to help RP's like you understand how the user performed user verification, but in practice I've yet to find a browser + authenticator combo that will support this extension.

I was going to come say this.

[PHR1990]

Hello @PHR1990, this is a common request from certain types of RP's (e.g. financial websites) and I understand where you're coming from. You'll be disappointed to hear that WebAuthn doesn't allow that level of control over how a user performs user verification.

The rationale I've heard is that biometric is only ever a convenience over having to enter a PIN. The PIN is fundamental protection in FIDO land, and authenticators that offer biometric always have a PIN/password of some kind as a fallback that can be entered instead when biometrics aren't available for whatever reason. Thus there's no way to truly go "biometric only" because you can't register a biometric without first establishing a PIN.

The uvm (User Verification Method) extension is supposed to help RP's like you understand how the user performed user verification, but in practice I've yet to find a browser + authenticator combo that will support this extension.

I see, thank you very much. I appreciate your fast response and detailed explanation.