top of page

Passkeys with Keycloak 26.4 or Newer

  • Autorenbild: Andreas Grill
    Andreas Grill
  • 24. Okt.
  • 3 Min. Lesezeit

Introduction

At open200, we’re big fans of both Keycloak and passkeys. Keycloak is our go-to solution for identity and access management (IAM). We use it in applications we build, we host it for customers, and we also customize it when needed. Of course, we also rely on Keycloak internally as our own IAM to provide single sign-on (SSO) for our teams.

Since early 2024, we’ve been offering our employees the option to log in passwordlessly using passkeys. The goal was simple: move toward a more secure and user-friendly authentication experience.


As of October 2025, around 51% of open200 employees have set up passkeys. We’re happy about the steady adoption, but we think it can go even higher, especially with the improvements introduced in Keycloak 26.4.


Before diving into the new features, let’s take a quick look at our previous setup.


Person in grünem Kapuzenumhang vor Holztür mit Schloss "SECRET MEETING". Jemand fragt "PASSWORD?". Amüsante Szene.
Password or Passkey?

Our Previous Setup

As described in our previous blog post, we used a hybrid setup:


Users at open200 could log in either with password + two-factor authentication (2FA) or with passkeys. The flow started by entering the username, after which users could choose to authenticate using their passkey (if configured) or switch to a password-based login.


We kept both options available because some third-party mobile apps still don’t support passkeys, especially older ones that haven’t been updated yet.

This approach worked, but it came with two major drawbacks:


  1. Typing the username manually: Even when using passkeys, users still had to enter their username (unless their password manager autofilled it). This made the experience less convenient than a password manager that can autofill both username and password, sometimes even the OTP. Without autofill, passkeys ironically felt like more effort than traditional passwords.

  2. It wasn’t easy to prioritize login methods: There was no straightforward way to make passkeys the default option. You could reorder the authentication methods manually or via API, but if the wrong one was shown first, users had to click around to find the correct login path.


Both issues made our passwordless login a bit less smooth than it could be. With Keycloak 26.4, that’s finally changing.


Enter Keycloak 26.4

The recently released Keycloak 26.4 introduces official support for usernameless login with discoverable credentials, in other words, full passkey support.

This change is a big deal. It allows us to keep our hybrid setup (passkeys + passwords with 2FA) while removing the annoying “enter username” step entirely.

Passkey support is now directly integrated into the standard Username Password Form flow.


And there’s more:

  • 2FA can be skipped for passkey logins, thanks to a new authentication flow condition.

  • Multiple passkeys per user are supported, and the browser lets you choose which one to use during login.

  • The whole process feels faster, cleaner, and more native, especially on modern devices with biometric authenticators.


We’ll include a short demo video here showing the login experience in action:



How to Enable Passkeys in Keycloak

Enabling passkeys in Keycloak is surprisingly easy. It only takes a few clicks:


  1. Open the Admin Console and select your realm.

  2. Navigate to Authentication → Policies.

  3. Click on the WebAuthn Passwordless Policy tab.

  4. Enable the Passkeys toggle at the bottom.


That’s it! 🎉


Keycloak-Authentifizierungsseite zeigt Einstellungen wie Richtlinien und Algorithmen mit sichtbarem Text und Menü. Dezente blaue und graue Farben.
Aktivieren von Passkeys-Option mit blauem Schalter eingeschaltet. „Add Origin“, „Save“ und „Reload“-Buttons sichtbar, moderner UI-Stil.

There are additional advanced settings you can fine-tune (e.g., limiting allowed authenticators, adjusting user verification behavior, or setting timeout values), but for most use cases, the default configuration works perfectly.


2FA Still Required?

If you’ve upgraded to Keycloak 26.4 or you’re using a custom browser flow, you might notice that 2FA isn’t automatically skipped for passkey logins.


If that happens, here’s how to fix it:


  1. Open your Browser Flow and locate the 2FA Conditional subflow where you have the OTP Form step.

  2. Add a new condition of type Condition – Credential. You should now have two conditions in the subflow.

  3. Open its settings and give it a descriptive alias (e.g., browser-conditional-credential).

  4. In the Credentials field, enter webauthn-passwordless.

  5. Set Included to off.

  6. Leave the other fields empty and save.

  7. Finally, mark the condition as required.


With this in place, the OTP Form will be skipped whenever the user logs in with a passkey (webauthn-passwordless), making the experience fully passwordless.


Benutzeroberfläche zur Formularverwaltung mit Fluss- und Bedingungsschritten. Enthält "Browser Passkeys RBAC" und "OTP Form".
Dialogfeld zur Einrichtung von Anmeldeinformationen mit Textfeldern für Alias und Authenticator. Dropdown zu Webauthn. Buttons Save, Cancel.


Conclusion

We’re genuinely happy with the new passkey support in Keycloak 26.4.


It significantly improves the user experience – on supported devices, authentication can now be as easy as touching a fingerprint sensor.

At the same time, fallback to passwords is smoother too, since you no longer need a separate username form.


We’ve successfully tested the new flow with:

  • Platform authenticators on macOS, iOS, and Android

  • Browser-integrated authenticators like Chrome and Safari

  • Password managers such as 1Password and Bitwarden

  • Security keys like YubiKey


With these improvements, we’re confident that even the last remaining password fans at open200 will soon make the switch to passkeys as their daily driver.

bottom of page