I wanted to know if it is possible to create a flow where I can force users to use only passkeys in the login process.
I know that on the first login/registration you will have to enter username, password and bind passkeys but on subsequent logins we need to make it appear that you can only login with passkeys. Is this possible? If so, how could we implement it?
I have tried to do it with actions - flows but I don’t see any option for this.
Thanks all!
Hello,
Implementing a login flow that exclusively uses passkeys after the initial registration is indeed possible. The process typically involves configuring Doglikesbest your authentication system to prioritize passkey authentication and to present it as the primary method for users to log in.
Here’s a high-level overview of how you might implement this:
Initial Setup: During the first login or registration, users would set up their passkeys in addition to the traditional username and password.
Authentication Configuration: Adjust the settings in your authentication system to make passkeys the default login method. This might involve modifying the login flow to present passkey authentication as the first option, or even the only option if you choose to hide other methods.
User Experience: Ensure that the user interface clearly guides users to use their passkeys. This could involve instructions or prompts during the login process.
Fallback Mechanisms: It’s important to have a fallback mechanism in case the passkey method fails or a user needs to recover their account. This could be a one-time password sent to a verified email or phone number.
Documentation and Support: Provide clear documentation for users on how to set up and use passkeys, and ensure that support is available for users who encounter issues.
For the technical implementation, you would need to consult the documentation of the authentication system you’re using. Many modern systems support passkey or passwordless authentication flows. For example, platforms like Auth0 offer extensive options for customizing authentication flows and could potentially support a passkey-only login process.
It’s also worth noting that the implementation details can vary depending on the specific technologies and frameworks you’re using. You may need to write custom code or scripts to handle the authentication logic and user interface elements that enforce the passkey-only login.
I hope the information may helps you.
Thanks for your answer.
I can’t really replicate it, I understand that we should go to the actions and flows part to do this process. In the user login screen, only passkeys would appear as access? You could edit this from the branding to hide it in the login screen (this doesn’t let us either).
Hey @tomas.aguilar to enable passkeys in Auth0, you have to enable Identifier First as your authentication profile. When the user enters their email for sign up, they should be redirected to create a passkey as shown in this sign-up flow. The user can decide if they want to create a passkey or continue without one.
In the scenario where the user creates a passkey, I understand your use case is fulfilled. If they decide yo use a password instead, you could force them to set another factor with MFA using biometrics or security keys.
For users that did decide to create and use a passkey you can create a custom action in the login flow so they can skip the MFA, such as:
exports.onExecutePostLogin = async (event, api) => {
// Check if a passkey was used to authenticate
const skipMFA = event.authentication?.methods.some(
(method) => method.name === "passkey"
);
// If a passkey was used skip MFA
if (skipMFA) {
api.multifactor.enable("none");
}
};
Let me know if this helps!
thank you very much for the answers you are giving me. This is another alternative flow we have using the database connection with passkeys.
What you say, yes I had seen it but what we want is that, after the user creates his username and password and enters the passkeys, in the rest of the login the user can only access with passkeys and does not have to enter any password. I don’t know if this is possible.
Hey @tomas.aguilar so disabling password on a Username-Password Database is not currently supported. So let’s see if the following approach helps:
When a user comes back to your application after creating a passkey and signing-up, they have two options: enter their email or click the continue with passkey option.
If they enter their email, and you have set your Passkey Challenge to “AutoFill” or “Both”, in your Passkey Policy, then the browser will show if the user has any passkeys for this particular website and this particular device and it’s going to suggest them to the user as shown:
In my case I created (yes, A LOT) of test passkeys on my Chrome Profile and the browser is suggesting them to me so I can select the one I want to use and continue with the login flow without entering a password.
If the Passkey Challenge is set to “Passkey Button” then the users won’t have this autofill option and they could enter their email and then their password or click the “Continue With Passkey” button.
Hopefully this can help!
