Log into your WordPress website with fingerprint and FaceID using Webauthn

 Introduction: What is a WebAuthen

WebAuthn is the official web standard for passwordless authentication allowing web browsers to perform verification by using public-key cryptography with support from a broad set of application browsers (Microsoft Edge, Chrome, Firefox, Mobile).

WebAuthn is a browser-based API that allows web applications to use built-in authentication methods (laptop password or pin, mobile, Windows Hello, Biometrics (FaceID/fingerprint), and Hardware Tokens) to simplify and secure user authentication.

In this document you will see how you can activate fingerprint and FaceID validation on your wordpress website’s login.

If you want to know more about what is webauthn and how it works you can check it here.

 Fingerprint and FaceID authentication

• Users love Fingerprint (Touch ID) and Face ID because these authentication mechanisms let them access their devices securely, with minimal effort. miniOrange webauthn allows you to authenticate users using their device’s Fingerprint and Face ID. Users first need to configure their device’s fingerprint in the plugin and from the next time onwards their login will be verified with the webauthn.
• Webauthn works on public-key cryptography so when a user tries to register a device a registration screen pops up with the available authentication method. In case of fingerprint the user needs to first configure his/her fingerprint in the device and if the fingerprint is configured in the device the user can configure the device with the website.
• In webauthn, there will be a relation between the device and the web server which makes it a strong authentication and almost impossible to bypass.

• Once the device is added to the web server the user will be prompted with the fingerprint verification from the next time onwards on login.
• The same procedure is followed for FaceID configuration. You can add your device with your FaceID and at the time of login the FaceID will be verified for the biometric authentication.
• After the device addition, when the user logs into the same website with the same device which was configured earlier they will be prompted for the device verification. It will be fingerprint in case of fingerprint verification and Face recognition in case of FaceID verification.

• If the user is trying to login he/she will be prompted with the device verification screen as shown above. Once the fingerprint or FaceID is verified then the user will be logged into the site directly.
• In case if the user is not logging in from the same device and he/she is trying to login from a device which is not registered in the system then based on the admin setting a couple of possibilities can be achieved:
  • Do not allow the user to login from a non registered device.
  • Allow the user to login with any alternative two-factor authentication method.
  miniOrange supports both the options and the admin can change it with the help of configuration.
• In case if the admin has decided to allow multiple authentication methods on login then miniOrange supports many authentication methods as the alternative methods. OTP Over SMS, OTP Over Email, Google authenticator, Microsoft authenticator are some of the popular methods.
• You can check the complete list of authentication methods here.
• So if multiple methods are allowed, users will be prompted with all the configured authentication methods. User can select his choice of method and he/she needs to verify the 2fa with that method.

 Device restriction with miniOrange webauthn:

The administrator can control the number of devices a user can register for webauthn. Webauthn works on public-key cryptography which helps to maintain a relationship between device and the web server. WIth the help of webauhn the administrator can restrict the number of allowed devices per user.

 Allowing particular type of fingerprint devices:

miniOrange webauthn solution works with both device specific fingerprint as well as cross-site fingerprint ( Keys like yubikey,etc). The administrator can control the type of fingerprint devices allowed for users to register.