Is it feasible to disable password for Auth0 database connection and only enable passkey login We have enabled the new EA feature flag - Support users without a password but unable to disable password for connection
Summary of bus req is as follows
1. User created in Auth0 database by Admin without password
2. User to be able to receive “validation email” link and then on clicking the link should be directed to enroll in Passkey (note- no initial password reqd to be setup by user , and no other MFA factors to be enrolled by user)
- Enable MFA Global Policy is reqd to be set to Always option
- On subsequent login user should be able to go to login screen - enter email address and login in with passkey only
Thanks in advance
Hi @mohan.mysore,
Welcome to the Auth0 Community!
You should be able to achieve this by using the new Early Access feature Native Passkeys API.
Given that this feature is still in limited Early Access, our Configure Passkey Policy still mentions that:
Currently, if you enable passkeys for a connection, you must also configure passwords as a backup authentication method. This ensures users can continue to access their accounts from browsers and older devices that may not yet support passkeys.
This will explain why the Password connection can not be currently disabled using the Auth0 Dashboard directly. However, you can just customize the Email Templates to ensure a user cannot “recover” their account via a password reset (which would recreate a password), so you should disable the “Change Password” template or redirect it to a page that explains the account is Passkey-only, or check out this article - How to Remove the “Forgot Password” Link from the New Universal Login Page.
Thank you and if you have further questions please let me know!
Best regards,
Remus
1 Like
Hi Remus Thanks for the response provided and any additional input is appreciated to clarify on whether
- Auth0 supports Passkey Only login for a Database connection when MFA Global Policy is set to “Always” (and the new EA feature flag is enabled for “allow users to be created without password” )
Note: we understand that this setting will require additional MFA factor to be registered as Passkey by itself does not satisfy the req for MFA global policy set to “Always” and we have setup action triggers for this constraint to suppress the 2nd MFA prompt when logging in via Passkey.
- Hence require confirmation if below user on- boarding flow is supported for a Passkey only login or not
New user created by Admin (either via admin dashboard or API) without any password for new user account
Auth0 to send verification email to new user account – user to validate email link — to be redirected to login page and enter email address — enroll in Passkey and 2nd MFA factor (to satisfy MFA Policy requirement) and complete first time enrollment
subsequent login - user will login with passkey only
- Is it possible to modify the Univ login page to only show option to login with Passkey button only (or any links on how to setup this with ACUL)
We will check out the Native Passkey API link you have shared