Authentication Experience
Overview
You can configure the authentication experience for your end users in the Admin Portal. This includes allowing desktop registrations, defining fallback methods (allowed authentication methods when a device does not support biometrics), and setting the expiry time of authentication flows.
Some of the authentication experience options, such as desktop registration, are set at the tenant level (apply to all of your tenant applications), some are defined per client, such as fallback methods, while others are set for the BindID application (for example, flow expiry time). Certain authentication options are also available per SDK/API request, such as login_hint (see OIDC /authorize).
Tenant-level Settings
The settings listed in this section are configured on the Settings page and affect all BindID applications in your tenant.
Require Biometrics
You can configure BindID to only allow users to authenticate with devices that support biometrics. Before enabling this option, you should determine what percentage of your users use biometric-enabled devices to authenticate (see BindID Production Tips).
To limit authenticating with only biometric-enabled devices, under Authentication Settings, select the Only allow users to authenticate using device biometrics option.
Desktop Registration
When a device is registered using biometrics, BindID considers the device to be trusted and belong to users who have successfully authenticated using the device. Registered devices are added to the user's list of devices (User > Devices), and they can be used to authenticate users without using a fallback method (such as email magic links or SMS OTPs).
You can determine when desktop devices can be registered to BindID on the Settings page. These options are available:
- Always allow desktop registration: Desktop devices can always be registered, even if the user does not have a registered mobile device.
- Allow desktop registration only after registering a mobile device: Desktop devices can only be registered if the user already has at least one registered mobile device.
- Don't allow desktop registration: Desktop devices cannot be registered. If you use this options, users will always be required to use a mobile device or a fallback method to authenticate on their desktops.
If needed, you can use this setting together with the require biometrics setting to ensure a uniform end-user authentication experience. For example, if you enable the biometrics requirements and select the Don't allow desktop registration option, users will experience the same authentication process on all desktops (via a QR code scanned with their mobile device). Selecting the Allow desktop registration only after registering a mobile device ensures users can easily authenticate on other desktops and perform an account recovery flow.
Desktop to Mobile Flows
BindID allows you to set which authentication flows are displayed to users when a desktop to mobile authentication flow is initiated, for example, when users browse to a web app on a desktop but authenticate using their mobile devices.
A QR code is always displayed in the browser for desktop to mobile flows. The QR code can be scanned with a mobile device, which then opens an authentication page for users to approve the flow. In addition to displaying a QR code for users to scan, you can add the options to send a link to the authentication page via SMS (SMS link) and short codes (Short code). When a user selects to use a short code, a URL and code are displayed in the web browser, and the user needs to browse to the URL on a mobile device and then enter the code.
Localization
In addition to setting a default language for BindID authentication flow pages, you can select available languages. During a BindID flow, the displayed language depends on the selected default language, the languages you made available, and the user's browser settings. If BindID does not support the browser's recommended language, the default language is used. When initiating a CIBA authentication flow via SMS, you can determine which language is used in the SMS by setting the ui_locales parameter in the call to /authorize_ciba.
Application-level Settings
The settings listed in this section are configured on the Applications page and affect all clients associated with the BindID application.
Flow Expiration
BindID enables the use of various flows to register devices and authenticate users, such as authentication, CIBA, registration, and recovery flows. You can set the expiry time of these flows, including links sent to users as part of a flow, to ensure that users have enough time complete the flow without compromising security by keeping them active for a long time. The maximum time to live for flows is 30 minutes.
Skip mobile verification
Sometimes users may not receive an SMS verification code, for example, if there are courier issues. To ensure users can still log in to your applications, you can allow users to continue with BindID authentication flows without the SMS code (select the Skip phone verification option).
Note: Mobile SMS verifications are set via the BindID API or SDK. For more information, see the Authorization API or the relevant SDK guide.
Client-level Settings
The settings listed in this section are configured on the Applications page and are specific to each client associated with the BindID application.
Fallback Methods
When biometric authentication is not available on the user's device, you can use an alternative method to authenticate the user (if the tenant-level require biometric option is not selected). If you want to allow users to approve a login request using a mobile device, select the Mobile approval only option. If you want to enable different fallback methods, you can choose one of the following options:
- Email verification code: users receive a code via email, which they must use to authenticate
- Email verification link: users receive a link via email and are authenticated when they open the link
Mobile Web Banners
You can add a mobile app banner to your web application, which is displayed when users authenticate to a web app on a mobile device. The banner provides the option to open or download your mobile application, which may provide a better UX for your users. To enable the banner, select Show mobile web banner for your native mobile app and add the relevant client details.