Is it feasible to disable password for Auth0 database connection and only enable passkey login We have enabled the new EA feature flag - Support users without a password but unable to disable password for connection
Summary of bus req is as follows
1. User created in Auth0 database by Admin without password
2. User to be able to receive “validation email” link and then on clicking the link should be directed to enroll in Passkey (note- no initial password reqd to be setup by user , and no other MFA factors to be enrolled by user)
- Enable MFA Global Policy is reqd to be set to Always option
- On subsequent login user should be able to go to login screen - enter email address and login in with passkey only
Thanks in advance
1 Like
Hi @mohan.mysore,
Welcome to the Auth0 Community!
You should be able to achieve this by using the new Early Access feature Native Passkeys API.
Given that this feature is still in limited Early Access, our Configure Passkey Policy still mentions that:
Currently, if you enable passkeys for a connection, you must also configure passwords as a backup authentication method. This ensures users can continue to access their accounts from browsers and older devices that may not yet support passkeys.
This will explain why the Password connection can not be currently disabled using the Auth0 Dashboard directly. However, you can just customize the Email Templates to ensure a user cannot “recover” their account via a password reset (which would recreate a password), so you should disable the “Change Password” template or redirect it to a page that explains the account is Passkey-only, or check out this article - How to Remove the “Forgot Password” Link from the New Universal Login Page.
Thank you and if you have further questions please let me know!
Best regards,
Remus
2 Likes
Hi Remus Thanks for the response provided and any additional input is appreciated to clarify on whether
- Auth0 supports Passkey Only login for a Database connection when MFA Global Policy is set to “Always” (and the new EA feature flag is enabled for “allow users to be created without password” )
Note: we understand that this setting will require additional MFA factor to be registered as Passkey by itself does not satisfy the req for MFA global policy set to “Always” and we have setup action triggers for this constraint to suppress the 2nd MFA prompt when logging in via Passkey.
- Hence require confirmation if below user on- boarding flow is supported for a Passkey only login or not
New user created by Admin (either via admin dashboard or API) without any password for new user account
Auth0 to send verification email to new user account – user to validate email link — to be redirected to login page and enter email address — enroll in Passkey and 2nd MFA factor (to satisfy MFA Policy requirement) and complete first time enrollment
subsequent login - user will login with passkey only
- Is it possible to modify the Univ login page to only show option to login with Passkey button only (or any links on how to setup this with ACUL)
We will check out the Native Passkey API link you have shared
1 Like
Hi @mohan.mysore,
Thank you for your reply!
We can confirm that your proposed “Passkey-only” onboarding and login flow is supported. By leveraging the “Support users without a password” feature within your Database Connection, you can manage user accounts that exist without a traditional password, as detailed in our Flexible Password Policy documentation.
MFA Configuration For the best user experience, we recommend setting your Global MFA Policy to “Never” and instead enforcing MFA via Auth0 Actions. Since you require MFA to be “Always” on, your Action script can control this requirement. This is considered best practice for Passkey flows to avoid conflicts since it allows the Action to recognize the Passkey as a strong factor and suppress redundant secondary prompts (like SMS), which a global “Always” policy would otherwise trigger automatically.
The onboarding sequence you described is supported as follows: After an admin creates the user (without a password) and the user validates their email, your application should call the MyAccount API to initiate Passkey enrollment. This ensures the user’s first interaction with their account is the creation of a secure biometric credential. For subsequent logins, the Identifier-First login experience will recognize the user’s email and immediately present the Passkey challenge. You can find the implementation details in our Native Passkeys API documentation guidance.
To provide a clean “Passkey-only” interface, the Identifier-First flow is required. Since these users lack passwords, Auth0 will naturally skip the password prompt. To further refine the UI and hide password related elements, you can use the Management API to set disable_self_service_change_password: true on your connection. This removes the “Forgot Password” link from the Universal Login widget entirely, ensuring a cohesive Passkey-centric experience, as described in the article referenced above.
I hope this helps and if you have further questions please let me know!
Kind regards,
Remus
Hi Remus
Thanks for the updated info.
Since Auth0 does not consider Passkey as a Independent MFA factor , and mandates supported independent additional MFA Factor to be enrolled during first time login, when MFA Global Policy is set to Always (as setting this to Never will not support the compliance requirements) and needs to be set to Always.
And Action trigger is setup to ensure users are not reqd to provide 2nd MFA factor when logged in with Passkey (even though it is a phishing resistant factor, unfort Auth0 does not recognize this as such)
In this scenario - will require Auth0 to call the MyAccountAPI during first time enrollment of user and flow would be
Admin creates user without password — verification email sent to user — user clicks on email and should be redirected to enroll in Passkey followed by 2nd MFA factor (since global policy is set to Always)
and subsequent login will be via passkey only
Would appreciate if you can confirm this flow is supported
Thanks
Mohan
Hi @mohan.mysore,
You are more than welcome!
You can successfully implement this type of Authentication Flow. I have also verified that you can maintain your Global MFA Policy as “Always” for compliance purposes while still offering a “Passkey-only” login for returning users by the use of customizing Actions.
-
Initial Onboarding: When a new user (created without a password) first logs in via their verification email, the system detects they have no secondary factor. Your Action triggers the api.authentication.enrollWith({type: 'any'}) command (or factors of your choice), forcing the user to set up their secondary MFA factor immediately after their Passkey. Because the Global Policy is set to “Always,” the “MFA requirement” is technically active for every session.
-
Subsequent Login Friction Removal: On returning visits, the user authenticates with their Passkey. Your Action then intercepts the flow, identifies the “Passkey” authentication method, and executes api.multifactor.enable('none'). This tells Auth0 that the passkey authentication is sufficient, allowing the user to skip the secondary mfa prompt entirely.
I hope this helps!
Best regards,
Remus
Hi Remus
Thanks again for the updated clarification provided. To summarize
- Initial onboarding - first time enrollment of new user flow to be tested is as follows - Admin creates new user - without password (EA feature used) – user is sent verification email link from Auth0 -