Biometric Enrollment Detection

This article explains Beyond Identity’s Biometric Enrollment Detection feature, which enhances security by monitoring changes to registered biometrics on Windows, macOS, and iOS devices. It describes how to configure policies to enforce authentication using registered biometrics, verify enrollment status, and reset biometrics if needed, as well as the user experience when authentication is denied due to biometric changes.

If someone gains control of a device and knows the pin/passcode for it, they could potentially register a new biometric and gain access to applications. Starting in version 2.98.1, Beyond Identity added a  Biometric enrollment detection to policy that provides additional security for device authentication.  

Available for: Windows, macOS, and iOS

Note: Android is currently is not supported.

Prerequisites

This enhancement requires:

• The Beyond Identity Platform Authenticator 2.98.1 or later be installed.

• Beyond Identity to enable a Feature Flag on your tenant.

How it works

After adding or editing rules that verify a user with registered biometrics, the next time a user authenticates, Beyond Identity gathers identifying information about what the biometric state is, and will then hash that information to look for changes to that state, such as adding or deleting a biometric from the operating system. If there is a change to the state and the biometric doesn't look the same anymore during a follow-up authentication, the authentication will be denied. If needed, the admin can reset the biometric state for the user.

Important: We do not store the actual biometric.

Configure biometric factor detection

1. Navigate to Policy > Edit policy > Add rule in the Beyond Identity Admin console.

2. Add or edit Windows or macOS rules in the policy with a biometric enrollment factor below selected for "Then."

   • Only Registered Biometric Factors (Recommended) - Allows authentication if

     • Rule criteria are met
       AND

     • The user verifies their identity using a biometric registered with Beyond Identity as an authentication method. (Most secure)

   • Only Biometric Factors - Allows the authentication if

     • Rule criteria are met
       AND

     • The user verifies their identity using a biometric. (More secure)

       Note: This doesn't require registration of the biometric with Beyond Identity.

   • Any Authentication Factor - Allows authentication if

     • Rule criteria are met
       AND

     • The user verifies their identity using a biometric, PIN, or operating system password. (Least secure)
       
       For more information about policies, see How to define policies.
       

3. To verify that the biometrics factor was applied:

   1. Navigate to Events.

   2. Locate an authentication event that occurred after the biometric factor was added to the policy.

   3. Click the username under Principal Actor to open the Users page for that user.

   4. Click the Passkeys tab. Under the Biometric Enrollment Status column, you should see a status of "Enrolled."
      

Reset a biometric enrollment

If you need to reset a biometric enrollment for a user, complete these steps.

1. Navigate to Users > select a user > Passkeys tab in the Admin console.

2. Click the pencil icon under the Actions column.

3. Click Reset in the Biometric enrollment status field.

4. Click Save Changes. The user should now be able to authenticate.
   

User experience for denied authentication

If the user's biometric state has changed, they will be prompted to verify the authentication using their biometric, such as a fingerprint as shown in the example below.

The authentication will be denied if the user cannot provide a known biometric factor, as shown in the example below.