Built-in Authenticators
Last updated August 31, 2021
Built-in authenticators (also called platform authenticators) verify a user’s identity through a biometric reader, such as a fingerprint, iris, or facial recognition scanner, which is built into a user’s computer or mobile device. Or in some cases, built-in authenticators confirm a user via a PIN or password that the user sets up in their device’s operating system.
This type of verification method streamlines the MFA requirement because it relies on built-in mechanisms rather than needing a separate authenticator app or physical security key. Depending on the browser and operating system that you use, built-in authenticators include Touch ID, Face ID, and Windows Hello.
Before Using Built-in Authenticators
A few things to keep in mind before using built-in authenticators:
- Your device, operating system, and browser all must support the FIDO2 WebAuthn standard.
- The built-in authenticator service (such as Touch ID, Face ID, or Windows Hello) must be enabled and set up to verify your identity via a biometric, PIN, or password.
- To use biometric authentication, a device must include a fingerprint, iris, or facial recognition scanner that’s supported by the built-in authenticator service.
To learn more, see FIDO2 WebAuthn or the documentationfor your device.
This type of verification method is bound to a specific device. If you access Heroku from multiple computers (for example, a desktop workstation and a laptop), you need to register a built-in authenticator on each system.
We recommend registering another verification method to ensure that you can log in to Heroku on other devices where a built-in authenticator is not present.
Registering a Built-in Authenticator
To register a built-in authenticator as an MFA verification method:
- Start at
Account Settings
and selectSetup Multi-Factor Authentication
(or Manage Multi-Factor Authentication if you have already enabled other verification methods). - Choose the
Add Built-in Authenticator
option on the next page and follow the prompts to complete registration. Your registration experience may vary based on the specific device, OS version, and browser in use and involves the following steps: - Click
Register
to add a built-in authenticator. - Activate your built-in authenticator when prompted. For example, use Touch ID for fingerprint verification.
- Name your authenticator and complete registration
MFA Verification with a Built-in Authenticator
To log in using a built-in authenticator:
- After entering your email and password, you are prompted to verify your login request using your authenticator.
- Activate your built-on authenticator when prompted. For example, use Touch ID for fingerprint verification.