Supporting both OTP and WebAuthn for authentication

[Philip Colmer]

I'm running Keycloak 16.1.1 and I've been asked to support hardware authentication keys, so I want to enable WebAuthn.

According to the documentation and a blog I found (https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/), it should be possible to configure the "WebAuthn Browser" flow so that a user who has configured both OTP and a security device can - at the time of authentication - choose which method they want to use.

However, with both "WebAuthn Authenticator" and "OTP Form" set as Alternative within the conditional flow, only OTP is ever asked for when a dual-authenticated user signs in.

If I reconfigure the flow to disable OTP and make WebAuthn required, the security token works as expected.

What have I misunderstood or misconfigured, please? Unfortunately, most of the blogs about WebAuthn and Keycloak only go through the steps to support just WebAuthn and not both methods of authenticating.

Thanks.

Philip

[Philip Colmer]

I found the cause - the theme I was using had been brought forward from an older version of Keycloak and is missing the "Try another way" prompt that the Keycloak theme has. It is that prompt that allows the user to switch between factors.

Hope that helps anyone else facing a similar issue.