Hi @naresh.seth,
I gathered some more information internally about this. Please see the below:
Expected Behavior
Passkeys are not intended to complement Identifier First + Biometrics but are designed to replace it. Passkeys offer an enhanced experience because they are multi-device credentials, meaning they sync across devices, unlike WebAuthn-platform biometrics used in Identifier First + Biometrics.
Scenario Breakdown
-
Scenario One (Blocked Passkey Enablement)
When enabling Identifier First + Biometrics, the system correctly prevents enabling Passkeys. This is because the two configurations are not meant to be used together. The blocking behavior is expected and intentional. -
Scenario Two (Circumvention)
By first enabling Passkeys under Identifier First and later switching to Identifier First + Biometrics, the configuration seems to retain both. This inconsistency appears unintentional and may be due to a gap in validation logic. I recommend avoiding this workflow, as it is not aligned with the recommended authentication flow.
Recommendation without using Partials
The ideal configuration is Identifier First + Passkeys. It provides the same biometric authentication experience (via Passkeys) with the added advantage of multi-device support. This setup delivers a more robust and user-friendly login experience compared to Identifier First + Biometrics.
Recommendation with using Partials
You can safely use Identifier First + Biometrics with a database without using Passkeys to then use Partials.
Please let me know if you have any additional questions!
Thanks,
Mary Beth