biometricswebauthn

WebAuthN tied to device user or can multiple users authenticate separately?


Can a website that uses WebAuthN authenticate multiple separate users on a single device with fingerprints (or other biometrics) or can only the device's registered user (and registered biometrics) be used?

I work on internal company devices that are shared my many associates. A standard account is used to log into the device but we'd like to use associate fingerprints to allow them to authenticate to our web app easily, without setting up their fingerprints in the device itself (only within the web app).


Solution

  • I'd like to shed another light on this...

    The WebAuthn protocol leverages the local authentication to verify the user. The fingerprint (or something else like a PIN code) is not registered "in the webapp" but is tied to the platform's user account.

    So you should either create multiple accounts, one per person with fingerprints, PIN code or whatever. Or you use this single device with a shared account and use something like your phone or usb keys to identify the person.

    If you want a shared account, there is still the possibility of not using fingerprints at all, but PIN codes, passwords, swipe pattern...