> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to configure WebAuthn with Security Keys for MFA.

# Configure WebAuthn with Security Keys for MFA

For an introduction to WebAuthn and how Auth0 implements it for both Security Keys and [Device Biometrics](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn/configure-webauthn-device-biometrics-for-mfa), check out [FIDO Authentication with WebAuthn](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn).

<Card title="Availability varies by Auth0 plan">
  Both your specific login implementation and your Auth0 plan or custom agreement affect whether this feature is available. To learn more, read [Pricing](https://auth0.com/pricing).
</Card>

<Warning>
  If you need to set a custom domain, do so **before** rolling out WebAuthn in production environments. If you set or change a custom domain, previously enrolled users will not be able to authenticate.

  You can use the [Relying Party](#configure-relying-party) setting to specify the domain used to authenticate users.
</Warning>

## Use the Dashboard

1. Enable **WebAuthn with Security Keys** by going to [Dashboard > Security > Multi-factor Auth](https://manage.auth0.com/#/security/mfa).
2. Configure how you want to handle User Verification. For security keys, the typical user verification prompts users to enter a PIN to complete the WebAuthn challenge.

   1. Never: Users will never be prompted to enter a PIN. This is the default value, and it's usually good enough when using security keys for MFA. Users already entered their password, so already provided some verification.
   2. If supported: Users will be prompted to enter a PIN if they already configured one in the key.
   3. Required: Users will be asked to set a PIN if it's not already set, and they'll be asked to enter it each time. This is the option that offers the highest security. Some browsers don't implement this properly (for example, [Brave](https://brave.com/) on iOS) so the authentication will fail and Auth0 will ask users to use another browser.

Note that only FIDO-2 compliant security keys support user verification. FIDO-1 keys can be used for WebAuthn, but are not usable if you set User Verification to Required.

## Configure Relying Party

WebAuthn makes phishing impossible by binding the credentials with the browser's origin. Users can't use WebAuthn for a site they did not register too.

Binding credentials to the origin means if you configure a <Tooltip tip="Custom Domain: Third-party domain with a specialized, or vanity, name." cta="View Glossary" href="/docs/glossary?term=custom+domain">custom domain</Tooltip> or change it, users enrolled before the change will not be able to authenticate.

WebAuthn defines a [Relying Party ID attribute](https://www.w3.org/TR/webauthn-2/#relying-party-identifier), which lets you specify the domain used to authenticate users. You can set it to any registrable domain suffix of the browser origin. For example, if the custom domain is `login.example.com`, you can configure the <Tooltip tip="Relying Party: Entity (such as a service or application) that depends on a third-party identity provider to authenticate a user." cta="View Glossary" href="/docs/glossary?term=Relying+Party">Relying Party</Tooltip> ID to `example.com`. This lets users authenticate to any `example.com` domain with their WebAuthn credentials.

Auth0 lets you specify the Relying Party ID only if you have a custom domain configured. If the custom domain changes, you must update the Relying Party ID.

## Device support

To use security keys, a browser needs to have JavaScript enabled and support WebAuthn. If those conditions are not met, Auth0 will not offer the option of enrolling or authenticating with security keys. Auth0 will challenge with another factor or with a recovery code (if they don't have another factor enrolled).

The latest versions of popular browsers and operating systems provide support for WebAuthn with Security Keys. For more details, read the the [browser support section in webauthn.me](https://webauthn.me/browser-support).

## Limitations

* When using the [MFA API](/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/mfa-api) you can list and remove WebAuthn enrollments, but you cannot enroll them.

## Learn more

* [Configure WebAuthn with Device Biometrics for MFA](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn/configure-webauthn-device-biometrics-for-mfa)