Optional Face Registration For Existing Users

Hi! I am currently working on face authentication as a single factor authentication method, I will take a live picture from the webcam, convert it into a base64 string and pass it to third party faceapi service and perform relevant actions (like recognition and registration) with custom authentication SPI.

Now, I want to add this into a running instance of keycloak, where I have LDAP existing users. The browser flow is defined for login such that user have two alternative options username password or face recognition with a custom SPI that I created. Everything’s good with the login part. But the main problem arises with the registration, because I want to make it optional, meaning user can opt for the face recognition.

Methods/approaches that I have thought/tried/came across until now:

  1. I have created a Required action, which makes it mandatory for every user to register their face once after login/registration. But, we don’t want that.
  2. Came across the “custom attributes” topic on a youtube video by @dasniko, when studying, which may help in making the face registration optional by creating a checkbox at the registerusernamepassword form and then redirecting to face registration form if he/she opt for the face recognition(not yet implemented) for only new users, but for the existing users it’s a mystery

What is the best way to make the face registration optional for both the new users and exisiting users?