Use case: Configure biometric authentication in ForgeRock Identity Cloud

Use case overview

Providing secure and seamless login journeys with biometric factors is a common use case that is easily implemented in ForgeRock Identity Cloud.

With the increased adoption of FIDO2 and Web Authentication (WebAuthn), strong authenticators such as Windows Hello and Apple’s Touch ID are now built into many devices. Identity Cloud natively supports WebAuthn, allowing you to design simple user journeys that invoke biometric sensors on FIDO2-enabled devices to add biometrics to your authentication journeys.

ForgeRock also provides an SDK for browsers and mobile applications to make biometric authentication easy to implement. For further information, see ForgeRock SDKs.

Additionally, ForgeRock can integrate with the growing number of third-party vendors that specialize in biometric authentication. For further information, see Identity Cloud - Marketplace.

Steps to achieve this use case

In this use case, we’ll demonstrate how to create a simple WebAuthn login journey. With WebAuthn users can authenticate by using a FIDO2 device such as the fingerprint scanner on their laptop or phone.

To create a simple WebAuthn login journey:

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Journeys > New Journey.

  3. Enter a unique name for the WebAuthn journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.

  4. Create a journey similar to this, keeping the default node configurations as they are:

    Node descriptions:

    • Platform Username - Prompts the user to enter their username. See Platform Username node for further information.
    • WebAuthn Authentication Node - Checks whether the device supports WebAuthn and allows users to use a registered FIDO2 device during authentication. See WebAuthn Authentication node for further information.
    • Platform Password - Collects the user’s password if no FIDO2 device has been registered or if the device is not FIDO2-enabled. See Platform Password node for further information.
    • Data Store Decision - Verifies that the username and password values match those in the data store configured for the realm. See Data Store Decision node for further information.
    • WebAuthn Registration Node - Allows users of supported clients register FIDO2 devices for use during authentication. See WebAuthn Registration node for further information.
  5. Click Save to save the journey.

NOTE: This is an example of a simple WebAuthn journey. You may wish to add additional friction to the password branch, such as email verification or OTP. Other nodes you may wish to include in your WebAuthn journey for more complexity include Increment Login Count node, WebAuthn Device Storage node, Recovery Code Collector Decision node, and Recovery Code Display node.

Testing the use case

To test the use case, make sure that your test end user doesn’t have any devices already registered on their profile.

NOTE: The test should be run on a client that supports WebAuthn. See MFA: Web authentication (WebAuthn) for further information. The steps may differ slightly depending on your browser type; in this example, we’re using Google Chrome.

Register a new FIDO2 device

  1. In the Identity Cloud admin UI, go to Journeys.

  2. Click the WebAuthn journey you created previously and copy the Preview URL.


  3. Paste the preview URL into a browser using Incognito or Browsing mode.

  4. Enter the test user’s username in the Sign In screen and click Next.

  5. Enter the test user’s password and click Next.

  6. Select the method of registering the device. In this example, we’ll choose This device.

  7. Click Continue.

  8. Scan your fingerprint when prompted, for example with Touch ID:

Once your identity has been verified and the device has been associated with the account you are successfully logged in as the test user.

Next time you log in as the test user using the WebAuthn journey you won’t be asked for a password, just a username and fingerprint scan.

View and rename the registered device

  1. Log in as the test user and click Edit Your Profile.

    In the Sign-in & Security section, 2-Step Verification should be ‘On’. This indicates that device(s) have been registered.

  2. Click Change > > Edit name to rename the device.


  3. Click Save.

Additional resources


Training videos:

Other resources: