Olympus Docs
CookbookMFA & step-up

Add WebAuthn (passkey) support

Enroll a hardware security key or platform authenticator as a second factor

WebAuthn is the W3C/FIDO standard for cryptographic authenticators, hardware security keys (YubiKey, Titan), platform authenticators (Touch ID, Windows Hello), or roaming passkeys (synced via iCloud Keychain / Google Password Manager).

Olympus supports WebAuthn as a second factor and (with passkeys) as a primary credential.

Enable WebAuthn in Kratos

platform/prod/{ciam,iam}-kratos/kratos.yml:

selfservice:
  methods:
    webauthn:
      enabled: true
      config:
        passwordless: true   # allow WebAuthn as a primary credential (passkey)
        rp:
          display_name: "Your App"
          id: ciam.<your-domain>    # the eTLD+1 or subdomain you trust
          origins:
            - https://ciam.<your-domain>
        attestation: "none"           # don't require attestation; faster + privacy

Surface in the settings flow

Hera's settings page automatically detects WebAuthn is enabled and shows enrollment options. No code change needed.

The user:

  1. Logs in to settings.
  2. Clicks "Add security key" or "Add passkey."
  3. Browser prompts to insert YubiKey, use Touch ID, or save a passkey.
  4. Credential is created; saved to Kratos.

Use as MFA

Once enrolled, WebAuthn is offered as a second factor on subsequent logins. When the AAL2 step-up is required, Hera prompts the user to present their WebAuthn credential.

See Identity, TOTP and WebAuthn.

Use as passwordless (passkey)

With passwordless: true, users can sign in with just the passkey, no password required. On the login screen, Hera detects available passkeys (via navigator.credentials.get with mediation: 'conditional') and offers them.

This is the passkey UX: a user types their email, Hera offers their saved passkey for that email, browser prompts for biometric, login completes.

Things to verify

  • HTTPS only. WebAuthn requires a secure context. The localhost.olympus.app dev cert works locally.
  • rp.id matters. Should match the eTLD+1 or your specific subdomain. Passkeys are scoped to this RP ID.
  • Domain changes invalidate passkeys. If you move from ciam.example.com to auth.example.com, existing passkeys are gone.

Browser support

Modern: all major browsers support WebAuthn. Passkey UX has stabilized in Chrome 108+, Safari 16+, Firefox 113+.

Recovery

If a user loses their only authenticator and you've disabled password fallback, they're locked out. Mitigate:

  • Always offer password + WebAuthn, not WebAuthn-only.
  • Encourage multiple authenticators (one hardware key + platform).
  • Backup codes (lookup_secret credential) as a last resort.

Registration funnel optimization

Reduce dropoff between "interested" and "signed up"

Require MFA for admin accounts

Different policies for admins vs users

On this page

Enable WebAuthn in KratosSurface in the settings flowUse as MFAUse as passwordless (passkey)Things to verifyBrowser supportRecoveryRelated