Biometric Authentication

    Note: Biometric Authentication is an Advanced Authenticator available as part of the Professional edition of ADSelfService Plus.

    Biometric Authentication enables users to verify their identity using fingerprint or facial recognition through the ADSelfService Plus mobile app, providing a secure and convenient passwordless authentication experience.

    How it works

    Biometric Authentication operates through the ADSelfService Plus mobile app, which interfaces directly with the device's native biometric hardware — fingerprint sensor or Face ID. When a user is prompted for MFA, the app sends a verification request to the device's biometric system. The result is communicated back to ADSelfService Plus over an encrypted channel without transmitting the biometric data itself, which never leaves the user's device.

    This is a device-based authenticator. Enrollment is tied to the specific device and app installation, not to the user's account globally.

    Prerequisite

    Users must have the ADSelfService Plus iOS or Android app installed on their smart devices.

    Configuration steps

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. From the Choose the Policy drop-down, select a policy.
    3. Click Biometric Authentication.
    4. Select Enable Biometric Authentication.

      Biometric Authentication in ADSelfService Plus

    Important:
    • Users need to download the ADSelfService Plus iOS or Android mobile app to use this authentication technique.
    • This is a device-based enrollment. If users install the app in another device, they need to enroll again.
    • If a user performs self-service password reset/account unlock from a mobile site, users cannot use Biometric Authentication to prove their identity.
    • For Biometric Authentication, users' mobile phones must support at least one biometric method (fingerprint sensor or Face ID) compatible with the ADSelfService Plus mobile app to successfully complete the enrollment and identity verification process.

    Deploying the authenticator for MFA

    Once the authenticator is enabled, you can deploy it as an MFA method for sensitive actions like password resets and account unlocks, protected endpoints, and logging into ADSelfService Plus. Click on the respective links to learn how.

    Note: This authenticator is not supported for enrollment during password resets or account unlocks. Ensure at least one additional authenticator is enabled for those flows.

    Setting up user enrollment

    Users need to download the ADSelfService Plus iOS or Android app and complete enrollment through the app. For information on enrollment options for other authenticators, click here.

    Tips

    • Like Push Notification Authentication, Biometric Authentication is device-bound. If a user switches devices or reinstalls the app, they must re-enroll. Always pair this authenticator with a fallback method — such as email OTP or security question and answer — so users aren't locked out during device changes.
    • Biometric Authentication cannot be used from a mobile browser — only from a workstation browser triggering the ADSelfService Plus app on the user's registered device. Avoid making it the sole authenticator in policies that include users who frequently access self-service from mobile browsers.