Back to Docs
Biometric Auth

Biometric Authentication

Add an extra layer of security with device biometrics like Face ID and fingerprint.

Supported Biometrics

Face ID

iOS

Apple Face ID using TrueDepth camera facial recognition.

Touch ID

iOS / macOS

Apple Touch ID fingerprint sensor authentication.

Fingerprint

Android

Android fingerprint sensors from various manufacturers.

Face Unlock

Android

Android face recognition (Class 3 biometric required).

How It Works

1

Request Created

Auth request sent with biometric flag

2

Push Received

User sees approval prompt in app

3

Biometric Prompt

Device shows Face ID/fingerprint

4

Verified

Response includes biometric confirmation

Implementation

Requiring Biometric Confirmation

Set requireBiometric: true when creating an auth request:

const request = await affirmid.auth.create({
  userId: 'user_123',
  application: 'Banking App',

  // Require biometric confirmation
  requireBiometric: true,

  // Optional: specify minimum security level
  biometricLevel: 'strong',  // 'standard' | 'strong' | 'liveness'

  message: 'Confirm wire transfer of $5,000'
});

Checking Biometric Result

The auth result includes details about the biometric verification:

const result = await affirmid.auth.waitForResult(request.id);

if (result.decision === 'approved') {
  console.log(result.biometric);
  // {
  //   used: true,
  //   type: 'face_id',           // 'face_id' | 'touch_id' | 'fingerprint' | 'face_unlock'
  //   level: 'strong',           // Security level met
  //   timestamp: '2024-01-15T12:00:30Z'
  // }

  // Proceed with high-value action
  await processWireTransfer();
}

Security Levels

Standard

Biometric prompt shown in the AffirmID app when approving requests.

Use case:General login authentication
Requirement:Any enrolled biometric

Strong

Requires Class 3 (strong) biometric hardware.

Use case:Financial transactions, sensitive data access
Requirement:Face ID, Touch ID, or Class 3 Android biometric

Liveness

Active liveness detection to prevent spoofing attacks.

Use case:High-value transactions, identity verification
Requirement:Face ID or certified liveness detection

Handling Fallbacks

Not all devices support biometrics. Handle cases where biometric authentication isn't available:

// Check device capabilities before requiring biometrics
const device = await affirmid.devices.get(userId);

if (device.biometricCapable) {
  // Device supports biometrics - require it
  await affirmid.auth.create({
    userId,
    requireBiometric: true,
    // ...
  });
} else {
  // Fallback to standard push approval
  await affirmid.auth.create({
    userId,
    requireBiometric: false,
    // Consider requiring TOTP as additional factor
    // ...
  });
}

Device Requirements

Users must have biometrics enrolled on their device. If a user removes their biometric enrollment, they'll need to use an alternative authentication method until they re-enroll.

User Experience Tips

Explain the prompt

Tell users why biometric is required (e.g., "Confirm your identity for this transaction").

Use for high-value actions

Reserve biometric requirements for sensitive operations to avoid fatigue.

Provide clear context

Include transaction details in the approval message so users know what they're confirming.

Handle failures gracefully

Allow retry attempts and provide alternatives if biometric fails.

Continue Learning

Device Attestation Identity Verification