Primary Authentication with Passkeys (WebAuthn) without Username #3878
Description
Describe the feature request
Hi Okta team,
It would be very useful if the Okta Sign-In Widget supported primary authentication with passkeys (WebAuthn) without requiring a username.
I noticed that the introspect request already returns a WebAuthn challenge, which made me think this feature might already exist. However, I couldn’t find any implementation in the widget’s code. My apologies if this is already developed and I simply missed it.
...
Please make sure this capability is available in the embedded widget, since that’s the main integration we use.
WebAuthn credential discovery can work in two modes:
- Autofill (credentials suggested directly by the browser/OS)
- Button (user explicitly clicks a “Sign in with passkey” button)
Adding this support would simplify the login experience and align the widget with modern passwordless flows.
I actually implemented this feature myself in a React + Node.js app, and it’s not hard to do. The key pieces are:
-
Add the attribute autocomplete="username webauthn" to the username input.
-
Run a script when the widget loads:
navigator.credentials.get({
publicKey: {
challenge: <persisted challenge from session>,
allowCredentials: [],
userVerification: "preferred",
mediation: "conditional"
}
})
(I am actually using the "@simplewebauthn/browser" lib)
-
In the callback, call the API with the signed challenge.
-
On the backend, find the user that owns the Credential ID and the credential itself, then verify the signed challenge. It's really easily with "@simplewebauthn/server" lib.
Thanks!
New or Affected Resource(s)
It's a new feature
Provide a documentation link
No response
Additional Information?
No response