I think you mentioned the answer already. You can use client certificate with protected storage and protect/control the use with biometric (fingerprint, face, etc.); ideally in a/the TPM or physical smartcard.
Be aware that when connecting to the network, it may be quite user-unfriendly to require manual steps like biometrics. It causes delays and interruptions to the network connection. One additional approach is to use short-living client certificates, then use biometrics verification during the enrollment phase. In that case, at least while the certificate is valid, there is immediate authentication without delays.
Maybe others have found something that works well?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jun 09, 2025 06:31 PM
From: Brad
Subject: EAP-Bio
Anyone aware of an upcoming or existing protocol for the use of biometrics for WiFi authentication with a back-end directory (possibly Active Directory or others)? Let's call it "EAP-Biometrics" or "EAP-Bio" for short. (If that name takes off, I want credit.) It would need to be a standard so that it would be rolled out by all of the device manufacturers, OS manufacturers, carriers, etc and baked into the configuration of each device (Microsoft, Apple, Linux, Android, Laptop, Tablet, Phone, and IoT Devices too). I would imagine this would require each device to have and make use of some type of TPM chip for the secure storage of the biometrics with a software interface to assist with the collection of the facial recognition picture / fingerprint data. The only kind-of somewhat comparable "Passwordless" protocol (as our identity guys refer to it) would be EAP-TLS where a client certificate replaces the password for the device.
Thanks,
Brad