Conditionally Enable Biometric Authentication Using Auth0 Actions

ActionsMulti-factor Authentication
Dec 9, 2025
Overview

This article explains the process to conditionally prompt users for biometric authentication based on specific criteria using Auth0 Actions. This approach serves as a workaround because the Biometrics + Identifier First authentication profile applies globally to the entire tenant and cannot be selectively applied to different user segments out-of-the-box.

Applies To

  • Auth0 Actions

  • Multi-factor Authentication (MFA)

  • Biometric Authentication

  • Identifier First

Solution

The Biometrics + Identifier First option is an authentication profile that applies to the entire tenant. To achieve conditional behavior, the tenant must be configured to use a standard login flow, and an Action must be implemented to trigger biometric prompts based on custom logic. While the steps below demonstrate how to trigger the prompt based on the specific application accessed, this logic can be adapted to other criteria. 

  1. Set the tenant's Authentication Profile to Identifier + Password.

  2. Navigate to Security > Multi-factor Auth in the Auth0 Dashboard.

  3. Enable the Customize MFA Factors using Actions toggle.

  4. Create a Post-Login Action with the following code to challenge a user with biometrics only when logging into a specific application.

  5. Replace <TARGET_CLIENT_ID> with the actual Client ID of the application for which biometrics should be enabled.

exports.onExecutePostLogin = async (event, api) => {
  // To trigger biometrics for a specific application.
  const targetClientId = '<TARGET_CLIENT_ID>';

  if (event.client.client_id === targetClientId) {
    // Check if the user has any biometric factors already enrolled.
    const hasWebAuthnFactor = event.user.enrolledFactors.some(
      (factor) => factor.type === 'webauthn-platform'
    );

    if (hasWebAuthnFactor) {
      // If the user is already enrolled, challenge them with biometrics.
      api.authentication.challengeWith({ type: 'webauthn-platform' });
    } else {
      // If the user is not enrolled, prompt them to set up biometrics.
      api.authentication.enrollWith({ type: 'webauthn-platform' });
    }
  }
};

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community