Keycloak - WinAuthn / Passwordless - Allow user to login using fingerprint only on newer devices


I am using keycloak as my IAM provider for a personal project (

I have 2 groups of users,

  1. Users who login from devices with support for fingerprint scanning - Android mobiles, iPad, Mac, Windows 10+ users - They can login via either password or fingerprint

  2. User who login from older devices - Windows 8 laptops, desktops etc. - They can login only via password

What I want:
Registration flow -

1)When users logging in from older devices register, only ask for username + password + user details. DO NOT ASK FOR FINGERPRINT

  1. For users logging in from newer devices, ask for both password and fingerprint.

I have set fingerprint as a ‘required action’.

When the user tries to register, even on a Windows 8 system (with no support for fingerprint scanning), the pop up asking for registration comes up and registration is blocked since the user cannot provide fingerprint.

Browser : chrome

What else I tried: I set the step to get fingerprint as enabled (not required) - in this case the registration only asks for password.

How do I get Keycloak to

  1. detect if biometric/fingerprint scanning is supported on the system

  2. Display step to register user using fingerprint only if fingerprint scanning is supported.