If someone gains control of a device and knows the pin/passcode for it, they could potentially register a new biometric and gain access to applications. Starting in version 2.98.1, Beyond Identity added a Biometric enrollment detection to policy that provides additional security for device authentication.
Available for: Windows, macOS, and iOS
Note: Android is currently is not supported.
Prerequisites
This enhancement requires:
- The Beyond Identity Platform Authenticator 2.98.1 or later be installed.
- Beyond Identity to enable a Feature Flag on your tenant.
How it works
After adding or editing rules that verify a user with registered biometrics, the next time a user authenticates, Beyond Identity gathers identifying information about what the biometric state is, and will then hash that information to look for changes to that state, such as adding or deleting a biometric from the operating system. If there is a change to the state and the biometric doesn't look the same anymore during a follow-up authentication, the authentication will be denied. If needed, the admin can reset the biometric state for the user.
Important: We do not store the actual biometric.
Configure biometric factor detection
- Navigate to Policy > Edit policy > Add rule in the Beyond Identity Admin console.
- Add or edit Windows or macOS rules in the policy with a biometric enrollment factor below selected for "Then."
-
Only Registered Biometric Factors (Recommended) - Allows authentication if
- Rule criteria are met
AND - The user verifies their identity using a biometric registered with Beyond Identity as an authentication method. (Most secure)
- Rule criteria are met
-
Only Biometric Factors - Allows the authentication if
- Rule criteria are met
AND - The user verifies their identity using a biometric. (More secure)
Note: This doesn't require registration of the biometric with Beyond Identity.
- Rule criteria are met
-
Any Authentication Factor - Allows authentication if
- Rule criteria are met
AND - The user verifies their identity using a biometric, PIN, or operating system password. (Least secure)
For more information about policies, see How to define policies.
- Rule criteria are met
-
Only Registered Biometric Factors (Recommended) - Allows authentication if
- To verify that the biometrics factor was applied:
- Navigate to Events.
- Locate an authentication event that occurred after the biometric factor was added to the policy.
- Click the username under Principal Actor to open the Users page for that user.
- Click the Passkeys tab. Under the Biometric Enrollment Status column, you should see a status of "Enrolled."
Reset a biometric enrollment
If you need to reset a biometric enrollment for a user, complete these steps.
- Navigate to Users > select a user > Passkeys tab in the Admin console.
- Click the pencil icon under the Actions column.
- Click Reset in the Biometric enrollment status field.
- Click Save Changes. The user should now be able to authenticate.
User experience for denied authentication
If the user's biometric state has changed, they will be prompted to verify the authentication using their biometric, such as a fingerprint as shown in the example below.
The authentication will be denied if the user cannot provide a known biometric factor, as shown in the example below.
Comments
0 comments
Please sign in to leave a comment.