Username-less (ID-less) WebAuthn UX authentication #9821

mabartos · 2022-01-27T09:45:58Z

mabartos
Jan 27, 2022
Collaborator

I'd like to discuss some options, how to improve usability of planned Username-less authentication regarding the UI. @vanrar68 created PR(#7860) for support it; thanks for that, I really like the idea and it'd be great to have it included in Keycloak. I quickly try the solution for that and it seems everything works as expected. However, I've encountered situation, where I think the UI can be better.

I created an authentication flow with Username Password Form and WebAuthn Passwordless Authenticator set up as ALTERNATIVE (for UsernamePwdForm I needed to include it to another flow, because it doesn't support ALTERNATIVE requirement). It means the Username Password Form is displayed to the user and it's possible to be authenticated only by the authenticator, which supports Discoverable credential. The thing is, it'd be great to improve UX within authenticator selection.

Implemented solution in the PR(#7860):

As you can see, when there are some Identity providers defined, the section with the title Or sign in with is present and below the list of IdPs, there is another possibility(Try another way), how to sign in. It doesn't seem to me straightforward and IMHO the Username-less authentication should be on the same level like the Identity providers. And after clicking the Try another way, you're redirected to another page (which seems to me kinda unnecessary).

Proposed solution:

As you can see, there's another item in the list with title Security Key without Username. I think, it'd be a better solution for that.
When there are defined more Identity providers and those items are restructured, the option for the Username-less could be the same like before. Or just edit the title to Security Key and keep the width same like for the IdPs?

@mposolda @vanrar68 @tnorimat WDYT?

EDIT: After discussion below, I agree to keep the design the same as in @vanrar68 approach except for the 'Try another way' link, which should be above the list of Identity Providers.

vanrar68 · 2022-01-27T14:06:35Z

vanrar68
Jan 27, 2022

I'm so used to seeing identity providers shown as buttons that it's a bit strange to me to have "Security Key" look like one of them. In my mind things were organized like this:

"Sign in with": other identity providers (remote)
"Try Another Way": another auth method (local)

What would it look like with the following scenario:
ALT: UsernamePassword Form
ALT: UsernameForm + WebAuthnPasswordless
ALT: WebAuthnIDLess

We would end up with a login screen featuring:

A UsernamePassword Form (local)
A "Try another way" link allowing to switch to "UsernameForm" (local)
A "Security Key" button (local) in the "Or Sign in with" area along with the identity providers (remote)

Anyway I agree the location of the "Try another way" link doesn't feel right when Identity Providers are configured.

Side note: Aren't you afraid such an implementation could break custom login forms (I guess it depends on the data model behind this implementation) ?
Side note 2: I'm definitely not a UI person, so I'll be OK with whatever decision is made on this topic

1 reply

mabartos Jan 27, 2022
Collaborator Author

@vanrar68 Thanks for your comment! I think you're right. It'd be kinda counterproductive regarding the usability and UX with another item Security Key among the IdPs with possibility to switch to a different authentication flow. Probably, it'd be sufficient only move the Try another way link above the list of IdPs.

jbman · 2022-02-01T17:21:32Z

jbman
Feb 1, 2022

A Webauthn Security Key is a replacement for username/password login. So I would also expect this option to be displayed right after the username password section.

Maybe the section could have a header text like this:

Sign in to your account

<Username or email input>
<Password input>
[Login]
---
Passwordless
[Sign in with Security Key]
---
Or sign in with
[IdP 1]
[IdP 1]

It's much better to have it available on the top level screen, because at our Keycloak installations it is usually decided at realm level which methods or IdPs should be available to the user. Each of the sections could be available or not based on the realm settings

6 replies

mabartos Feb 8, 2022
Collaborator Author

Thanks for your comments. At this moment, it'd be good to keep the approach as @vanrar68 proposed except the Try another way link, which should be above the list of Identity Providers.

vanrar68 Feb 21, 2022

@mabartos how do you want to proceed ? should I update PR #7860 to include the new "Try another way" location or do you want to push your own UI PR ?

mabartos Feb 21, 2022
Collaborator Author

@vanrar68 Feel free to do it. I can review it then.

vanrar68 Feb 23, 2022

Sorry @mabartos unfortunately I won't be able to push the UI update any time soon. I've rebased
@mposolda any objection to have the UI stuff in a dedicated PR ?

EDIT: I've rebased the PR against latest main branch. It includes an attempt at moving the "Try another way" link but have no idea if this is the right way to do. Let me know and I'll revert it if needed

mabartos Feb 24, 2022
Collaborator Author

Thanks, @vanrar68! I'll take a look at it soon.

Username-less (ID-less) WebAuthn UX authentication #9821

Uh oh!

Uh oh!

mabartos Jan 27, 2022 Collaborator

Replies: 2 comments · 7 replies

Uh oh!

vanrar68 Jan 27, 2022

Uh oh!

mabartos Jan 27, 2022 Collaborator Author

Uh oh!

Uh oh!

jbman Feb 1, 2022

Uh oh!

mabartos Feb 8, 2022 Collaborator Author

Uh oh!

vanrar68 Feb 21, 2022

Uh oh!

mabartos Feb 21, 2022 Collaborator Author

Uh oh!

Uh oh!

vanrar68 Feb 23, 2022

Uh oh!

mabartos Feb 24, 2022 Collaborator Author

mabartos
Jan 27, 2022
Collaborator

Replies: 2 comments 7 replies

vanrar68
Jan 27, 2022

mabartos Jan 27, 2022
Collaborator Author

jbman
Feb 1, 2022

mabartos Feb 8, 2022
Collaborator Author

mabartos Feb 21, 2022
Collaborator Author

mabartos Feb 24, 2022
Collaborator Author