"Try another way" missing from passwordless flow

I’m trying to set up a passwordless webauthn flow where:

  • User enters username
  • User uses a WebAuthN token OR
  • User enters a password and an OTP

I’ve followed the instructions on Server Administration Guide and configured the flow like this:

If I log in as a user without a passwordless webauthn token configured, the login flow goes username → password → OTP as expected, but if I log in as a user with a passwordless webauthn token configured, I don’t get a “Try another way” link at the security token prompt, so I can’t fall back to password+OTP

What am I doing wrong?

I don’t think you are doing anything wrong but this seems to be behavior by design. I have the feeling that “Password Form” is just no alternative to WebAuthn authenticator. I have the same issue and would like to use the same Authentication Flow you are showing.

I found a workaround in the meantime by switching the order of “Password Form” and “OTP Form” which is not really nice and desired but at least it works and gives you the link “Try Another Way”.

  1. It is (supposed to be) a supported configuration, it is explicitly mentioned in the docs: Server Administration Guide
  2. It seems like this is a bug that only affect users backed by LDAP: [KEYCLOAK-19398] Password Form not available as an alternative login method for LDAP users - Red Hat Issue Tracker

Yes, I found issue #19398 as well and created another one at [KEYCLOAK-19769] Biometrics or PWD/OTP - Red Hat Issue Tracker. Unfortunately nobody worked on it or replied anything so far.