Show HN: OSS Auth0 Alternative Ory Kratos Now with Full PassKey Support (opens in new tab)

And for who is it improved? I just find it annoying to no end because it's an unnecessary extra click and often enough and extra round trip that for some reason takes forever

I've found that having the "username" visible along with a hidden "password" field, then keeping that after confirming the user is a password based user on the password entry screen is generally helpful for use with a password manager.

    [Username] Visible
    [Password] Hidden
    [Next] Button Clicked
    |
    V
    Server checks username and user type (password case)
    |
    V
    [Username] Read Only
    [Password] Visible, with any previously submitted value
    [Login]
    

Similarly for account registration, with a hidden username field and a visible password field if separating the password and account initial entry.

Just my own experience with a lot of experiments on implementing an authentication system and supporting a password manager for self-serving purposes.

Hi, thanks for the feedback. I've been building this at Ory.

> It is usually worse for users using a password manager, since some of them will not be able to detect/autofill the password field on the second page. But I haven't checked, maybe Kratos UI is supported by all major password managers and this is not an issue here.

The two-step flow is currently only implemented for registration, so autofill should not be a concern. However, we surely want to inform the password manager to store the correct password after registration.

Do you think https://developer.mozilla.org/en-US/docs/Web/API/Credentials... is the correct way to inform a password manager?

> Since the parameter is called "enable_legacy_flow", does it mean it will be removed in future releases?

In general we perceive the two-step registration as an UX improvement when you have multiple credential strategies, which previously would generate a long registration form with repeated fields. However, we have no plan to remove the config value in the forseeable future.

One-step registration is the legacy flow. AFAICT there are no plans to remove it but Two-step is the default going forward.

The out-of-the-box UI is support by all major pw managers, but you do need to click twice (once for username/once for password)

i think services with lots of auth options (like google) are gravitating towards identifier first authentication because it is the middle ground between meeting sec requirements and keeping UX frictionless. also, in the case of kratos you were able to enable a bazillion methods by default, which would create one node for each method which in turn would make your UI look very confusing as kratos would require you to render one button for each method

Depends when you last looked at it, but are new version of Ory Elements (https://github.com/ory/elements) is in the works, which will make customising the UI smoother.

Because they can, like the SSO tax.

It’s phishing resistant; thus making it more secure than all other current popular MFA methods.