Setup WebAuthn for passwordless Auth

Hi there,
I want to setup Keycloak 14 to enable users to use either Username/Password Auth or Username/WebAuthn (passwordless) using e. g. fingerprint or using Username, Password and Authenticator/WebAuthn as 2FA. I followed the guides available at Server Administration Guide and
#_webauthn and created the flows as described

I changed the browser flow to use the Webauthn Browser Flow.

However if I want to register a new security token in the account administration of the user it starts but wants to use a USB hardware device instead of an available fingerprint reader (TPM is also present; at I can use passwordless fingerprint auth). What do I have to change that I can use the fingerprint reader instead of the USB hardware device? I use MS Edge as browser here.

Thanks a lot for any help in advance!

Sorry, couldn’t add the other pictures because of first post of a new user :-/ →

OK, just in case someone comes here through googling: You have to enable at least RS256 algorithm in WebAuthn Policy to “enable” Windows Hello and therefore the usage of fingerprint reader in Windows. For Apple it seems to be ES256. You can enable multiple algorithms by using ctrl key (windows) as normal.


Just registered to say thank you!! Should be part of the documentation :see_no_evil:

1 Like