Search code examples
javafingerprintwebauthnfido

WebAuthn for server side fingerprint verification

For my existing Java web application, I want to enable fingerprint authentication. Here are the requirements for authentication:

  • Server should store the biometrics for fingerprint, fingerprint should be matched against the biometric stored on server
  • This allows user to login from any system with supported fingerprint scanner
  • Also I hope use of WebAuthn will not limit the supported fingerprint scanners since its a standard protocol

I know I can use WebAuthn framework along with Mac OS TouchID or Windows Hello. This allows fingerprint registration and verification to be done with the biometric stored on local system not on the server.

I want to know if I can use WebAuthn framework to verify the fingerprint stored on server side. Any links to relevant examples or tutorial will be helpful for my POC.

Solution

  • The whole point of WebAuthn & FIDO2 is to not have biometric data on some server, because it may eventually be leaked.

    Also, smartphone OSes (iOS, Android...) and WebAuthn (browser) implementations do not provide applications with biometric data from FIDO authenticator sensors, still for the same reason (privacy) and by design.

    What you want to do is not possible. I suggest you reconsider your requirements.