Face or touch unlock is a phishing-resistant multi-factor authentication (MFA) method that lets users sign in to Login.gov using their device’s built-in biometric hardware using passkey technology — such as Face ID, Touch ID, fingerprint readers, or a device PIN. This article explains how it works, device compatibility, and common troubleshooting steps.
How It Works
Face or touch unlock allows users to save a credential on their device and use it to authenticate with Login.gov. Login.gov does not store biometric data for this feature — face scans, fingerprints, and credentials remain on the user’s device only.
Account Creation
- User creates a Login.gov account with email and password.
- User selects “Face or touch unlock” as their MFA method.
- User scans their face or fingerprint (or enters their device PIN).
- User is prompted to set up a second MFA method (recommended but not strictly required — see below).
Signing In
- User enters their email and password.
- User selects “Face or touch unlock” for MFA.
- User authenticates with their device (face scan, fingerprint, or PIN).
- Login.gov verifies the credential and completes sign-in.
Device Compatibility
Face or touch unlock is available on compatible devices, including:
- iPhones with Face ID or Touch ID
- Android phones with face or fingerprint recognition
- Laptops or desktops with fingerprint readers
If a user sets up face or touch unlock on a compatible device, they can also attempt to use it when signing in from a non-compatible device — provided they have cloud syncing enabled (see below).
Cloud Syncing
Because credentials are saved locally, users typically need the same device to sign in each time. Cloud syncing changes this. For example:
- Apple devices: iCloud Keychain syncing is required and enabled by default. Apple actively prevents users from using face or touch unlock without iCloud sync.
- Android devices or Google Chrome users: Users are offered the option to sync credentials via their Google account.
Users with cloud sync enabled can share their credentials across devices, making face or touch unlock more flexible.
Second MFA Recommendation
After setting up face or touch unlock, users see a screen prompting them to add a second MFA method. Login.gov recommends setting up a second MFA method because:
- If a user loses their device and doesn’t have cloud sync enabled, they may be unable to sign in.
- A second MFA reduces the risk of needing to delete and recreate the account.
Alternative Unlock Methods
The underlying technology allows users to sign in by unlocking their device using any screen lock method — not just biometrics. This means some users may authenticate with a PIN (iPhone, Android) or pattern swipe (Android) instead of face or touch recognition.
This behavior is controlled at the operating system or browser level, not by Login.gov, and makes use of the methods a user already has set up on their device.
Phishing Resistance
Face or touch unlock is phishing-resistant because:
- Authentication uses a cryptographic key pair — the private key stays on the device, and Login.gov uses the public key to verify the user.
- The credential is bound to the Login.gov domain, so it cannot be used on a different website.
- Users have no knowledge of the authentication secret (unlike SMS codes), so it cannot be requested by a fraudster.
Other phishing-resistant MFA methods supported by Login.gov include FIDO2 security keys and PIV/CAC cards.
Requiring Face or Touch Unlock
Partners who want to require phishing-resistant MFA can configure their application to do so through the authentication request. When a user without any phishing-resistant MFA option signs in to such an application, they are prompted to set up a phishing-resistant method – face or touch unlock is the most accessible option for most users, since it works on any modern smartphone, tablet, or laptop with biometric hardware or a PIN.
Partners can also enforce phishing-resistant MFA for only a subset of users using a step-up authentication flow. For details on both approaches, see the “Customizing MFA Requirements” and “Phishing-Resistant Authentication” sections in the [Authentication guide].
Face or touch unlock is also the fastest MFA method for sandbox testing when combined with a password manager for auto-filling email and password.