2

I was wondering if we could, at any point in the WebAuthn Authenthication, be able to retrieve the type used:

  • PIN,
  • Biometric (Face Id, Touch Id)

I'm mostly curious, as what I'm really looking for is some insights explaining the amount of Face ID vs Touch ID authentications used by my users.

Of course, I've checked this page but without success. Bare in mind, I don't want to access anything else than the type of authentication used by the user, I don't need any more specific or private data.

Thanks for helping!

pixelboy
  • 739
  • 1
  • 12
  • 36

1 Answers1

3

The UVM extension provides this information, but you are unlikely to find it implemented anywhere. (It might work for non-discoverable credentials on Android, but we want to remove it and I don't think the result is accurate.)

The reason is that sites frequently want to use this information to, say, prohibit authentication by PIN as they feel that it's less secure than a biometric since users can tell someone else their PIN. However, this is a) problematic for accessibility, b) leads to confusing and inconsistent experiences for users, and c) doesn't make sense because the a PIN is sufficient to enroll new biometric templates on most devices.

Thus while your desire to know the breakdown of facial recognition vs fingerprint doesn't fall afoul of these concerns, UVM still isn't available in general because of them. Sorry.

agl
  • 1,129
  • 5
  • 6