I'm implememting WebAuthn for my web app. I have a fingerprint reader (I can give you the model number if needed - it says it supports WebAuthn, FIDO etc) which I want to use to authenticate. The problem is that the PIN option is also available (might be related to Windows Hello), but I don't want that. I only want the fingerprint option. I tried setting the authenticatorSelection.authenticatorAttachment
to cross-platform
, but I get an error saying: "This security key can't be used. Please try a different one". The fingerprint reader is connected via USB.
What can I do so that I only give the fingerprint option to the user?
Simply put there is no mechanism in WebAuthn to only allow for biometric user verification.
The general thinking here is, the PIN is the protection for local biometric enrollment to then perform future biometric authentication. Therefore biometric-only auth doesn't make sense because if an attacker gets your PIN then they can enroll their fingerprint and then perform biometric authentication.