Detecting that a Biometric Factor is Registered

We just implemented policies to support Fastpass. The issue we are coming across on Android is that when the user installed Okta Verify, it automatically enrolled them in Fastpass, but did not require that they set up biometrics. Is there a custom expression that can tell me if they have registered a biometric factor on the device, so I can have them skip that rule, if they do not, and have them hit a p/w + 1 rule?

Hi @BeejC, from a policy standpoint you can enable the biometrics requirement for Enrollment on the Okta Verify authenticator settings, and on the auth policy for the client require biometrics, but there’s no way via expression to do a check.

Depending on which sdk you’re using, it might be possible to perform this check with some custom logic. For example, you could use the sdk to check if FastPass is one of the available authenticators, and then leverage Android BiometricManager to check for biometric availability and enrollment

That is what I was afraid of. I am trying to engineer an authentication policy that will hit when the user is on a device that is registered and unmanaged, but I want to require biometrics. If they do not have biometrics turned on then the rule is hitting and failing, whereas I would like it to fall through to the next rule which will require pw + 1 factor. It seems strange that I have no ability to have the user not qualify for the rule and use a rule that they do meet the requirements. I alreadyed a requirement for secure hardware to be present and that catches some cases (mainly VMs with no TPM emulation).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.