About biometric authentication settings

Hi @ika2525

I hope you’re well today!

First, as an admin you need to enable 2FA in general. To do so (I’m assuming you already have Defender installed and enabled on site):

– go to “Defender -> 2FA” page and enable feature
– then you’ll have options to decide for which user roles it should be available and whether to force 2FA (and for which user roles) or not.
– save settings

Once that’s done

a) every user (of a role you enabled 2FA for) can go to their profile page (/wp-admin/profile.php) and they’ll have option to configure 2FA for them at the bottom of the page

b) if that role is set to have 2FA forced – user who doesn’t have it yet configured will be automatically redirected to that setting upon login and will not be able to move anywhere else in dashboard from there (they’ll be “stuck” there until they setup 2FA).

However, note that you can’t decide which of those available options will be possible. You only enable and, optionally, force 2FA but user decides which one to use. They’ll be able to choose between TOTP, Backup codes, Fallback email or set “Web Authentication” (which basically includes fingerprint readers, facial recognition and even hardware keys).

Here is a full guide on Two Factor Authentication in Defender:

https://wpmudev.com/docs/wpmu-dev-plugins/defender/#two-factor-authentication

Best regards,
Adam

Thank you for your reply!

I would like to implement biometric authentication when users log in. The login page was created using WordPress Elementor/Croc Block.

Can you achieve the following?

1. Is it possible to require login only using biometric authentication (facial recognition) set by the user? (I don’t want you to log in unless face authentication is successful = you can’t enter your password either)
2. Is it possible to refuse biometric authentication once used when registering as a member and logging in for the second time? (I would like to invalidate my second membership registration.)

We look forward to your reply.

Hi @ika2525

I understand your concerns but I’m afraid most of that is undoable.

Defender doesn’t support “passwordless” login but instead it supports “two factor authentication” and “two factor” means that there are “two steps” of authorization. IN this case it’s just a standard password authorization and it’s followed by added second layer which is one of 2FA methods provided by Defender.

So that’s one thing. Then the “require only biometric authentication (facial recognition)”:

As I mentioned previously, there is no built-in option for you to choose which ways will be available for your site users but you can actually limit it to “Web Authentication” option only with an additional bit of custom code added to the site.

Once you add this code

add_filter( 'wd_2fa_providers', 'wpmudev_remove_defender_2fa_providers' );
function wpmudev_remove_defender_2fa_providers( $classes ) {
    $classes = [
        'WP_Defender\Component\Two_Factor\Providers\Webauthn',
    ];

    return $classes;
}

following options will disappear from users’ profiles: “TOTP”, “Backup codes”, “Fallback Email”, leaving only “Web Authentication” (which allows fingerprints, facial recognition, external hardware keys); limiting it furhter is not possible currently.

As for “Is it possible to refuse biometric authentication once used when registering as a member and logging in for the second time?“.

No, it’s not possible and it would actually defy the purpose of the 2FA used as a security feature in general.

Kind regards,
Adam

Hi @ika2525

We haven’t heard from you in a while, we will go ahead and mark this thread as resolved. If you have any additional questions or require further help, please let us know!

Kind regards,
Zafer