Passkeys, conditional ui, etc...

[Francis Augusto Medeiros-Logeay]

Hi,

I just saw Niko’s presentation on KeyConf - it was great, btw.

I have been following the implementation of Passkeys closely over the last two years, and after watching his presentation, I went running to see what was different.

It seems to me that the login after enabling passkeys is much better and straightforward in 26.3.3.

But I wonder, will we ever see automatic pop up of passkeys login without the user having to click on “Sign in with passkey?

Or are there many challenges to that/ Is it even in the roadmap for passkeys?

Best,

Francis 

-- 

Francis Augusto Medeiros-Logeay

Oslo, Norway

[Niko Köbler]

Hi Francis,

first, thanks for watching my talk at KeyConf and I'm happy you liked it.

What exactly do you expect with "automatic pop up of passkeys login"?

As shown in my demo, my browser automatically provided the existing passkeys in a kind of a popup in the username field to the user. I hadn't to click on the button to sign in with a passkey. Of course, this is also depending on the browser and if the browser implements the "WebAuthn Conditional UI" properly. With Firefox for example, I've also some problems.

For me(!) this behavior is exactly what I want to have and get from Keycloak, as there will be a lot of time coming up, where we need both ways to offer to the user, username/password (hopefully with mfa) _or_ passwordless passkeys only.

But from my experience from a lot of other customers and projects, the "requirements" and wishes vary a lot from customer to customer. The all want "authentication with passkeys", but the exact "how" differs much in details...

So, what is your exact expectation?

Best, 

- Niko

[Francis Augusto Medeiros]

Hi Niko,

Thanks a lot for your reply.

Well, the thing is, from the user’s perspective, having the passkey available on the username field is just too similar as of using saved passwords. While the authentication flow will be different, this might lead to a lot of confusion. 

What I would like is that a javascript would already check if you have a passkey for that webside and start the authentication without the user having to choose a save passkey or clicking on the “Sign in with Passkey”. This way, a user would only use his fingerprint (or pin, or whatever method) to login. 

So, in other words:

- user user is redirected by the app to keycloak

- Keycloak would then check if the user has a passkey for that domain

- if so, the passkey authentication (with the pop up for the user verification showing automatically) would start right away - no need to click on a button or choose a passkey on the username field.

If the user doesn’t have a passkey for that website, he’d use the username/password form normally.

Is it clear now? Let me know if you’d like me to create a little storyboard for that.

Best,

Francis 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/a488a336-0db2-4c2f-b66c-5ebc2f4c4f26n%40googlegroups.com.

[Niko Köbler]

Thanks for the more detailed explanation.

Well, that's exactly the thing I meant with "differs a lot from customer to customer". Believe me, even if you think(!) that every company wants to have this experience....

IMHO, the existing way will work greatly, I don't have the doubts to confuse the users.

To the rescue, you can still implement your custom authenticator with your desired custom logic.

That's how Keycloak works, it won't implement and provide all the different things and ways to anything in a certain way, but you always have the possibility to implement your desired behavior through SPIs.

Best,

- Niko

[Thomas Darimont]

Hello all,

AFAIK you can't detect if a user has registered a passkey for your site using JavaScript without prompting them. 

This is a deliberate security and privacy feature of the Web Authentication API (WebAuthn).

However, you could build such a mechanism yourself based on a persistent (http-only, secure) cookie that gives Keycloak a hint that a passkey with certain characteristics 

was created for this user in this browser. Then you could inspect that cookie with a custom authenticator and send the user to an optimized user experience.

Note that the FIDO Alliance provides some IMHO useful guidelies for passkey adoption https://www.passkeycentral.org/design-guidelines/

and UX recommendations for sign-in experiences: https://www.passkeycentral.org/design-guidelines/required-patterns/sign-in-with-a-passkey

There is also this big list of sites supporting passkeys where you could take some inspiration from: https://www.passkeys.io/who-supports-passkeys 

Cheers,

Thomas

[Francis Augusto Medeiros-Logeay]

Thanks Thomas,

I think I read somewhere that you can use javascript to silent start the check and handle it elegantly when the user doesn’t have a passkey for that domain. But I am probably wrong. This is what I got by searching a bit a while ago.

Best,

Francis 

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/8f9f9af1-606d-4ca5-84a1-7bcbec52ca55n%40googlegroups.com.

[Martin Besozzi]

As Niko and Thomas mentioned, you can check in a custom SPI whether the user has WebAuthn passwordless credentials available, and then show or hide that authenticator in the next step accordingly.

Regards,

Martin

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/4C155110-8AC5-4F97-9C43-0040A25CEB68%40med-lo.eu.

[Francis Augusto Medeiros]

Thanks Niko.

Yeah, I understand that. I just wanted to check if this was in the roadmap and/or anyone else was asking for the same thing.

I have no doubt that the existing way works great, but I disagree about the confusion. The interface on a Mac does say when it is a a passkey and when it is a save password, but the difference is subtle and I am not sure that the difference will be noted for many users.

I’ll run this by our UX team - if they agree with you, then I don’t think I’ll need to change anything.

Best,

Francis 

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/ad7ef114-9d4c-450e-bb3a-ba863dc4104bn%40googlegroups.com.

[Francis Augusto Medeiros]

Thanks Thomas,

I think I read somewhere that you can use javascript to silent start the check and handle it elegantly when the user doesn’t have a passkey for that domain. But I am probably wrong. This is what I got by searching a bit a while ago.

Best,

Francis 

On 1 Sep 2025, at 10:40, 'Thomas Darimont' via Keycloak User <keyclo...@googlegroups.com> wrote:

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/8f9f9af1-606d-4ca5-84a1-7bcbec52ca55n%40googlegroups.com.

[Niko Köbler]

Francis, after a while, I think I know what you are (were?) looking for. Mot probably you want to switch from "mediation: conditional" to "mediation: optional". This would directly open the modal dialog to confirm the passkey, if there is exactly one passkey available for the current domain used. No custom javascript required, just plain WebAuthn spec. :)

I created an issue (and a corresponding PR) for this over last weekend: https://github.com/keycloak/keycloak/issues/46959

Best,

Niko

[Francis Augusto Medeiros]

Thanks a lot, Niko! I could never find the right terminology to describe it. So cool it was found.

I believe this would be a great future, because for some user, specially on Macs, Passkeys end up working a lot like saved passwords due to Apple’s design of the contextual menu.

Best,

Francis

To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/182c59ce-c5f0-4018-8e1e-c307b808399fn%40googlegroups.com.