WebAuthn (Web Authentication) is a modern standard that allows users to authenticate securely using biometric devices, security keys, or built-in platform authenticators – completely without passwords. This makes phishing attacks harder and improves the login experience for users.

In this guide, I’ll show you how to configure Keycloak with WebAuthn for passwordless authentication in a test realm.

⚠️ Note: Make sure your device supports WebAuthn/FIDO2 (e.g., a YubiKey, TouchID, iPhone, or Windows Hello).

I strongly recommend setting this up in a test realm instead of directly in a production environment.

Adjust the Authentication Flow

First, we’ll modify the browser authentication flow to support passwordless login.

  • In the Keycloak Admin Console, navigate to: Realm β†’ Authentication β†’ browser
  • Click Duplicate to create a copy of the default flow.
Duplicate the browser flow

Edit the newly created flow (for example, name it Passwordless Flow – you can choose any name you like):

  1. Delete the step Passwordless Flow forms.
  2. Click Add sub-flow, give it a name, and set the Flow type to Generic.
Add a sub flow
  1. Set this new sub-flow to Required.
  2. Click the + icon in the WebAuthn row and select Add execution.
  3. From the list, choose Username Form.
Add an execution
  1. Ensure the new sub-flow itself is marked as Required.
  2. Click the + icon again in the WebAuthn row and select Add execution.
  3. This time, choose WebAuthn Passwordless Authenticator.
Add an execution

πŸ“Œ Tip: Make sure that the Username Form step comes before the WebAuthn Passwordless Authenticator step.

Order of executions

Finally, bind your new flow to the Browser Flow:

Bind the new flow to the browser flow

Advanced Authentication Configuration

Next, enable the required actions and allow user registration:

  • Navigate to: Authentication β†’ Required Actions
  • Set both Enabled and Set as default action for WebAuthn Register to ON.
Define required actions
  • Go to: Realm settings β†’ Login
  • Set User registration to ON.
Enable user registration

Create a Client

Now let’s create a client application. In this example, we’ll use the Keycloak demo app, but you can also configure your own client.

Client settings:

OIDC client settings
More OIDC client settings

Test Your Setup

Time to test the configuration:

  1. Open https://www.keycloak.org/app.
  2. Enter your settings (replace placeholders with your own):
    • Keycloak URL: Your Keycloak address (e.g., http://localhost:8080)
    • Realm: Your realm name
    • Client: Your client name
Keycloak app settings
  1. Save the configuration.
  2. Click Sign in.
  3. On the Keycloak login screen:
    • Register a new user
    • Register a Passkey
    • Select a supported device (e.g., YubiKey, TouchID)
    • Give the device a label
Passkey registration

✨ You’re all set! You should now be able to sign in without a password.

Signed in with WebAuthn