Skip to content

Passkeys / Passowrdless with WebAuthn

Overview

Passwordless authentication (Passkeys or Passkey) with WebAuthn enables users to access applications without relying on traditional passwords. In this process, a public key is stored on Keycloak, while a private key resides within the user's device web browser.

Users authenticate themselves using various methods supported by the WebAuthn standard, including biometric data (such as fingerprints or facial recognition), FIDO2 security keys (like YubiKey), or other compatible authenticators.

WebAuthn authentication
WebAuthn authentication

Use cases

CIAM

Passwordless authentication with WebAuthn enhances security and user experience in customer-facing applications (CIAM). By eliminating the need for passwords, it reduces the risk of password-related security breaches while providing a seamless login experience for users. This is particularly valuable in sectors such as banking, healthcare, and e-commerce, where security and ease of use are paramount.

However, it's important to note that passwordless authentication for the general public may introduce complexity and setup challenges. Users may encounter difficulties during onboarding and regular usage, especially if the chosen authenticator method relies on factors like their availability, such as the possibility of losing the object or experiencing battery power issues. This dependency could lead to frustration and potential abandonment of the login process, affecting the overall user experience.

IAM

In business-to-business (B2B) scenarios, passwordless authentication with WebAuthn simplifies access for partners or vendors. This enhances security and user experience while facilitating efficient collaboration.

Pros & Cons

Pros

  • Enhanced security: passwordless authentication with WebAuthn eliminates the need for passwords, reducing the risk of password-related security breaches.

  • Improved user experience: Users can log in using biometric data or security keys, providing a seamless and convenient login experience.

Cons

  • Device compatibility: Users need devices that support the WebAuthn standard, which may limit accessibility for some users.

Supported by Keycloak

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Configuration

How to configure Passwordless Authentication / Passkeys on Keycloak

The following tutorial provides a quick example of configuring the "Passwordless Authentication with WebAuthn on biometric" method to help you navigate Keycloak and test it with the Face ID. This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak console - Enable New User Registration

  1. Select your realm from the dropdown list (here : tutorial-demo)
  2. From Keycloak console, click on realm settings
  3. Then click on Login
  4. Make sure that User registration is enabled
Keycloak Console - Enable new user registration
Enable New User Registration

Keycloak console - Required actions

  1. Click on Authentication (1.)
  2. Then click on Required actions (2.)
  3. Enable Webauthn Register Passwordlessfrom Set as default action (3.)
Keycloak console - Required actions
Keycloak console - Required actions

Keycloak console - Duplicate Browser flow

  1. Click on Flows
  2. Select ... on the right side of the browser (Built-in) flow
  3. Click on Duplicate
  4. Name it (here : browser-passwordless-webauthn)
  5. Then click on Duplicate

You have now created a new browser flow.

Keycloak console - Duplicate Browser flow
Keycloak console - Duplicate Browser flow

Keycloak console - Authentication flow delete steps

  1. From the new flow (here : browser-passwordless-webauthn)
  2. Delete Username Password Form step
  3. Delete [your flow name] - Conditional OTP step (here : browser-passwordless-webauthn- Conditional OTP)

You should have a flow with 4 steps : Cookie / Kerberos / Identity Provider Redirector / [your flow name] forms (here : browser-passwordless-webauthn forms)

Keycloak console - Delete flow steps
Keycloak console - Delete flow steps

Keycloak console - Authentication Flow add WebAuthn Passwordless Authenticator

  1. Click on + on [your flow name] forms (here : browser-passwordless-webauthn forms)
  2. Select Add step
  3. Search for Username Form and select it
  4. Click on Add
  5. Select again Add step
  6. Search for WebAuthn Passwordless Authenticator and select it
  7. Click on Add
  8. On the WebAuthn Passwordless Authenticator on the dropdown list select Required

You should have a flow with 6 steps now.

Keycloak console - Add WebAuthn Passwordless Authenticator
Keycloak console - Add WebAuthn Passwordless Authenticator

Keycloak console - Change Browser to your new flow

  1. From your [your flow name] (here : browser-passwordless-webauthn forms)
  2. Click on Action
  3. Select Bind flow
  4. Make sure that Browser flow on binding type is selected
  5. Click on Save

To control this new modification, go back on authentication flow list, your new flow should get a ✅ on the list Used by

Keycloak console - Change browser to your new flow
Keycloak console - Change browser to your new flow

Keycloak Login and Face ID validation

You have now changed and configured the browser flow to your new flow with Passwordless WebAuthn Authentication for Yubikey, Face ID, Fingerprint,... (here : Face ID)

Keycloak Login and Face ID validation
Keycloak Login and Face ID validation

Resources