Understanding How Passkeys and Face ID Work Together in Auth0

Multi-factor AuthenticationSingle Sign-On
Oct 31, 2025
Overview

This article clarifies the relationship between Passkeys in Auth0 and device-level biometric authenticators, such as Face ID. It also addresses configuration requirements and flow behavior for using Passkeys.

Applies To
  • New Universal Login
  • Passkeys
Solution

"Face ID" is not configured directly in Auth0. Instead, Passkeys are enabled, which are based on the Fast IDentity Online 2 (FIDO2) / Web Authentication (WebAuthn) standard. When a user authenticates with a Passkey on a device (for example, an iPhone or Mac), the operating system uses Face ID or Touch ID to verify the user locally before the Passkey is used. In this flow, Face ID is a function of the user's device, not an Auth0 configuration option.

 

How It Works

 

  1. The login flow begins with Identifier First, where the user enters an email or username.

  2. Auth0 looks up the user and determines whether a Passkey is registered for their account.

  3. If a Passkey exists, Auth0 initiates a WebAuthn challenge through the browser.

  4. The browser requests that the operating system authorize the use of the Passkey. The device then prompts the user for biometric verification (such as Face ID, Touch ID, or a PIN) to unlock the Passkey.

  5. Once verified, the Passkey is securely used to complete authentication with Auth0, logging the user in.

 

Configuration Requirements

 

To support Passkeys (and, by extension, device biometrics like Face ID):

  1. Enable the New Universal Login Experience:

    • Navigate to Dashboard > Branding > Universal Login.

    • Select New Universal Login Experience.

  2. Enable the Identifier First Authentication Profile:

    • Go to Authentication > Authentication Profiles.

    • Select and enable Identifier First.

  3. Enable Passkeys:

    • Go to Authentication > Database > Authentication Methods > Passkeys.

NOTE: Passkeys (and the underlying biometric verification) are not supported with Custom Login Pages, as Identifier First cannot be enabled in this context.

When configured with Identifier First and Passkeys, users can sign in using biometric verification (like Face ID or Touch ID) provided by their device as part of the secure Passkey login experience.

For more information, see Passkeys in Database Connections.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community