Users access web applications securely without submitting any sort of username or password over the wire. The modern browser provides API to create Public-key based credentials to authenticate a user with no username and password. It is a new type of web authentication officially ratified by W3C (World Wide Web Consortium). Major browsers Mozilla Firefox, Chrome, Edge, and Safari support this kind of authentication. Each device generates unique credentials reference id along with Cryptographically relevant data. This unique id will be used to identify a user. The cryptographically generated information is validated with a trusted resource.
Web authentication provides a secure way of sharing user information to the relying party (Access manager). Web Authentication is a standards-based set by W3C. Usernameless and passwordless authentication reduces username and password theft and provides some relief from phishing and replay attacks. Additional access policies can be implemented based on device attestation.
Do check the passwordless authentication with the access manager here. Usernameless authentication is an extension of passwordless authentication. Modern devices support Windows Hello Biometric/PIN authenticators and Yubico authenticators. The device stores the generated crypto credentials to TPM or persistent storage. Devices are capable of using more than one credentials which allows device sharing. When more than one credentials are available user has to select their profile from the popup credentials profile window.
In the case of mobile devices, Android and iPhone use native biometric authenticators. It needs a trusted verifier on has to implement in the demo project given below under resources. Persistent storage of User registration has to be implemented with the demo project, demo project uses in-memory storage hence IDP restart user registration information is lost. Web authentication flow can be controlled by changing the parameters returned from the server. For example, Attestation type, Authenticator type, and User verification. For detailed information please visit W3C specification.