Biometric Authentication in Flows
Using Descope Flows is an incredibly easy way to add authentication to your web applications. Being a FIDO Alliance member, we greatly encourage the use of biometrics in your authentication flow. With biometrics, you'll need to use a phone number or email to log in, along with your biometric data (such as a fingerprint). You will also need to make sure that the user's phone number or email has been verified before you can use it to log in. This guide will explain how biometric security works with Descope and how to configure it for your users.
Why Use Biometrics Auth?
Authentication is simply a way to verify that a user is who they say they are. Biometrics authentication (also known as WebAuthn) performs this by validating the distinctive biological characteristics of a user, making it virtually impossible for someone to impersonate another user.
There is a detailed article about biometric authentication in our Learning Center, but essentially a server has to provide a public-private key pair to a client that binds a user to a credential (usually an email or phone number). The great thing about biometric authentication is the biometric data is NEVER saved on a server, and only exists in an encrypted state on the user's local computer in the form of a private key. On the other hand, the public key is stored on the server and is retrieved by the client to verify with its private key. Only the public key is ever sent between the client and the server, and since the public key is of no use without the private one, this makes WebAuthn a very secure form of authentication.
Now that you're familiar with how biometric auth works, let's see how you can use Descope to easily incorporate it into your authentication flow. If you're unfamiliar with how Flows works, there is a great tutorial video on our Getting Started page for you to learn more.
Configuring Biometrics with Descope
Overall it's very straightforward to use Descope with biometrics, you just need to add a biometric button to your main sign-in page and then add the logic to the main flow page.
When starting a new customer-facing project with Descope Flows, I added Social Login and Biometrics as the primary authentication methods with no MFA.
However, as you can see, when I try and use biometrics and configure it by typing in an email and then clicking Sign in with Biometrics, I get an error like this:
This occurs, because the phone or email you're trying to sign in with, has not been verified. The reason why the user has to be verified is that Descope needs to verify that the biometric information being saved is the actual information of the user who's associated with that email or phone number.
If you are a site administrator, you can see what users have verified phone numbers or email addresses, by the little orange "!" symbol on the Users dashboard here:
To verify a user, that user will need to sign themselves in using an email or phone number and complete a 2-step verification process. This is usually done via an OTP or Magic Link sent to the method of choice. This can also be done by signing in with Social Login like Google or Microsoft.
In our example, the first time a user signs in with Google, after configuring their name, a popup will appear asking to add biometric data:
The user can simply follow those steps and once they've configured their biometric data or biometric, they should be able to sign in using biometrics. You can also change the flows here to do more checks on the user, or change the way the user logs in so that biometrics is more of a secondary authentication method.
And that's really all there is to it! Congratulations on stepping into the 2020s, where you can ditch those darn passwords and sign in with your fingerprint instead.
If you have any other questions about Descope or our biometric auth, feel reach to reach out to us!