Show HN: OSS Auth0 Alternative Ory Kratos Now with Full PassKey Support
github.com> Two-step registration is a significantly improved sign up flow
It is usually worse for users using a password manager, since some of them will not be able to detect/autofill the password field on the second page. But I haven't checked, maybe Kratos UI is supported by all major password managers and this is not an issue here.
Since the parameter is called "enable_legacy_flow", does it mean it will be removed in future releases?
And for who is it improved? I just find it annoying to no end because it's an unnecessary extra click and often enough and extra round trip that for some reason takes forever
Yep, but everyone is moving to it…
I've found that having the "username" visible along with a hidden "password" field, then keeping that after confirming the user is a password based user on the password entry screen is generally helpful for use with a password manager.
Similarly for account registration, with a hidden username field and a visible password field if separating the password and account initial entry.[Username] Visible [Password] Hidden [Next] Button Clicked | V Server checks username and user type (password case) | V [Username] Read Only [Password] Visible, with any previously submitted value [Login]Just my own experience with a lot of experiments on implementing an authentication system and supporting a password manager for self-serving purposes.
Hi, thanks for the feedback. I've been building this at Ory.
> It is usually worse for users using a password manager, since some of them will not be able to detect/autofill the password field on the second page. But I haven't checked, maybe Kratos UI is supported by all major password managers and this is not an issue here.
The two-step flow is currently only implemented for registration, so autofill should not be a concern. However, we surely want to inform the password manager to store the correct password after registration.
Do you think https://developer.mozilla.org/en-US/docs/Web/API/Credentials... is the correct way to inform a password manager?
> Since the parameter is called "enable_legacy_flow", does it mean it will be removed in future releases?
In general we perceive the two-step registration as an UX improvement when you have multiple credential strategies, which previously would generate a long registration form with repeated fields. However, we have no plan to remove the config value in the forseeable future.
Password managers autofill during signup too, both username and password and when they do, they detect it and ask if you want to save the credentials, including the random generated password
One-step registration is the legacy flow. AFAICT there are no plans to remove it but Two-step is the default going forward.
The out-of-the-box UI is support by all major pw managers, but you do need to click twice (once for username/once for password)
i think services with lots of auth options (like google) are gravitating towards identifier first authentication because it is the middle ground between meeting sec requirements and keeping UX frictionless. also, in the case of kratos you were able to enable a bazillion methods by default, which would create one node for each method which in turn would make your UI look very confusing as kratos would require you to render one button for each method
Happy self hosted Ory user here, thank you for building out.
Has the process around customising the UI improved recently? That was by far the biggest pain point for me when setting it up.
Depends when you last looked at it, but are new version of Ory Elements (https://github.com/ory/elements) is in the works, which will make customising the UI smoother.
I've said it before but I really cannot believe Auth0 doesn't offer TOTP 2FA in their "essentials" tier. Ory Kratos seems to offer it at their lowest tiers which is good.
It costs nothing (unlike SMS) so I'm not sure why Auth0 wants to charge $240+/month just to get basic 2FA.
Because they can, like the SSO tax.
Thank you. We've been using self-hosted kratos for a couple of years now - and we're big fans. Quality has improved across the board from the early releases, and the product just keeps getting better.
I have recently added passkey support for a few apps just to support a newer Auth standard. All i can tell, i have been very unimpressed.
LOGIN UX has become very confusing. Users have been vendor locked down. Since windows and mac and linux users have to deal with multiple key management which isn't ideal.
In my opinion, it isn't any more secure over mfa.
It’s phishing resistant; thus making it more secure than all other current popular MFA methods.
It's not ban resistant from a large org too. That threat factor is all new and should be accounted for.
Thank you for passkey support!
Really cool project