Skip to main content

Version 3.49

· 3 min read

Enrolling new biometrics auth factor now has additional security requirement

When enrolling a mobile device for the biometrics authentication factor, an additional step is now required to corroborate the link between the legitimate user and the device. The user will need to have a successfully registered mobile number to use for SMS OTP prior to starting the biometrics enrolment.

As part of the biometrics enrolment flow, the user will need to pass an SMS OTP challenge.

When the end user requests to enrol their device, we check if there is a mobile number associated to that user:

  • If there is a verified number, Weavr will send an OTP over SMS to the user’s registered mobile number, which they can input in the request screen (provided in our biometrics SDK). If this OTP is valid, enrolment is successful.

  • if there is a number available, but not verified, Weavr will send an OTP over SMS to the user’s registered mobile number, which they can input in the request screen (provided in our biometrics SDK). If this OTP is valid, enrolment is successful and mobile number is automatically verified.

  • If the user does not have a mobile number or would like to change with another mobile number, the Embedder needs to call

PATCH/corporates PATCH/consumers

before triggering the SMS challenge for biometrics enrolment flow.

When a user tries to enrol his device for biometrics without having a mobile number, we are returning 409 - Mobile_Number_Not_Available

Other scenarios when PATCH should be called are:

  • user has an invalid format of the mobile number - 409 Mobile_Number_Invalid
  • user has a mobile number with a country code not supported - 409 Mobile_Country_Not_Supported

All these changes will be part of our future mobile SDKs releases.

Default complexity level for passwords is now set to 4

As part of a wider series of changes to enhance security for End Customers, we are increasing the default complexity level of the passwords to level 4. This means, that the password must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used

If your users are having a Level 1 complexity password, they will be allowed to continue using Level 1 password until:

  • password expires - Level 4 complexity will be required for the new password
  • user triggers Forgot password flow - Level 4 complexity will be required for the new password
  • user changes the current password - Level 4 complexity will be required for the new password