Combining authentication strategies

Start here

This guide illustrates how to protect high-risk operations by combining Entrust's passkey authentication and biometric authentication solutions to create a comprehensive multi-factor authentication (MFA) flow.

Introduction

High-risk operations such as password resets, financial transactions, and access to privileged information require the strongest possible authentication to protect against phishing attacks and account takeover. Multi-factor authentication addresses these security challenges by requiring users to provide multiple forms of verification before granting access.

By combining Entrust's passkey and biometric authentication solutions, you can create a robust authentication system that leverages:

• Phishing resistance — Passkeys use public-key cryptography and are bound to a specific domain (relying party ID), making them inherently resistant to phishing attacks, credential stuffing, and password-based vulnerabilities.
• High assurance identity verification — Biometric authentication provides strong confirmation that the person performing the action matches the identity of the person registered to the account, protecting against account takeover scenarios.

This combined approach is particularly effective for:

• Password resets and account recovery
• Sensitive financial transactions
• Access to privileged information or administrative functions
• Changes to critical account settings
• Regulatory compliance scenarios requiring strong authentication

Enrollment with both factors

To enable multi-factor authentication, users must first enroll with both authentication methods during onboarding.

In Workflow Studio, create an enrollment workflow that includes:

1. Document and identity verification tasks.
2. An Enroll passkey task to register the user's passkey.
3. Biometric enrollment, with the resulting token stored either on the end user's device or on customer infrastructure storage.

An enrollment workflow that sets up both passkey and biometric (on-device) authenticators

Authentication

To authenticate users with both factors, add an Authenticate Passkey task and an Authenticate biometrics: motion task to your Studio workflow. Users will authenticate by providing their passkey, followed by completing a facial biometric scan through motion capture.

A workflow requiring both passkey and biometric authentication

Using authentication results

For system integrations, configure a webhook to receive real-time notifications when authentication workflow runs complete. The webhook payload will contain the workflow run status, which you can use to authorize or deny high-risk operations:

• approved — Both authentication factors completed successfully. The user has been verified with high assurance and can proceed with the high-risk operation.
• declined or review — One or both authentication factors failed. Deny access to the high-risk operation and prompt the user to retry or contact support.
• error — A system error occurred during authentication. While the user will be denied access, they should be permitted to retry.
• abandoned — The user did not complete the authentication flow. Deny access to the high-risk operation.

Upon receiving the webhook notification, conditionally execute the high-risk operation based on the workflow run status. The webhook payload also includes individual task results, allowing you to determine which specific authentication factor failed for detailed user feedback or security audit logging.

For auditing purposes, authentication results can also be viewed in the Results tab of your Studio Dashboard or retrieved by making an API call to retrieve the workflow run.