Hi all, question on Kratos around user identity-less challenge (options) call. We are working on implementing Kratos and see that other implementations offer username or user identity less options calls. For example, webauthn.io does this:

curl '<https://webauthn.io/authentication/options>' \
  --data-raw '{"username":"","user_verification":"preferred"}'

Which returns:

{
  "challenge": "DaqInMw-vAuBRvC24pYNi0U_5GwRuMhye0RefHxnc9Jpqntk9asEIb5Gzr1KnJ8Iag_uIQBzHyzD7HL9G4zy3g",
  "timeout": 60000,
  "rpId": "webauthn.io",
  "allowCredentials": [],
  "userVerification": "preferred"
}

The problem we are having using passwordless passkey is that Kratos requires a username or other user identity. I thought to open a github issue on this because the team hasn't been able to find a configuration workaround on this yet but wanted to check here first. Is this configurable/supported? The reason why is to avoid caching username in the cookies or other places so that we can have similar experience to target, bestbuy.com, and webauthn.io where you don't have to submit the username. @bulky-guitar-23324 @red-manchester-35460 for awareness Apologies for the edits, wanted to get a pretty complete post together.

A PR for much improved passkey support is almost ready to merge 👍

Thanks @refined-kangaroo-48640. I saw that PR but it wasn't clear to me based on the PR and the PRs that preceded it if this use case was covered. Do you know if it is?

The user experience will be equivalent to whats demoed on webauthn.io. So on registration, you'd only enter a username/email and click sign up. You'll be prompted to create a passkey. On sign-in, you will not have to provide a username/identifier at all.

Great, thanks