Support Passkey Sign-In Using Email (Account Hinting) #2346

New Issue

GiteaMirror · 2026-03-13T09:45:37-05:00

GiteaMirror commented

2026-03-13 09:45:37 -05:00

Originally created by @slaymed on GitHub (Nov 21, 2025).

Is this suited for github?

Yes, this is suited for github

Currently, the passkey sign-in flow does not accept an email or any account identifier. Because of this, when a device contains multiple passkeys—each belonging to different accounts—the browser prompts the user to select which passkey to use. This breaks the UX for applications that already collect the user’s email before initiating the WebAuthn request.

I have a sign-in form that only asks for an email. When the user enters their email and presses “Continue,” I want to trigger passkey sign-in directly for that specific account, without showing the account selection UI. Since the platform doesn’t receive any hint or identifier, it cannot target the correct passkey even though the user already provided their email.

Describe the solution you'd like

Please add support for passing an email (or any account identifier) to the passkey sign-in function. This would allow the library to perform WebAuthn with an account hint, enabling the browser to skip the account-selection step and directly invoke the correct passkey.

This feature is important for apps that use an email-first login flow and want a seamless passkey experience.

Describe alternatives you've considered

Currently, the only alternative is to rely on the browser’s account selection prompt when multiple passkeys exist on a device. This works but results in a poor user experience, especially for email-first login flows, because the user has already provided their email. Another workaround is to maintain a separate mapping of device passkeys to accounts in the backend, but this adds complexity and still cannot fully skip the browser prompt in all cases.

Additional context

WebAuthn supports an “account hint” parameter (often called userHandle or id) in the credential request options, which allows the authenticator to select the correct passkey automatically. Many modern browsers implement this, but without exposing a way to pass the email/account to the library, applications cannot take advantage of it. Adding this feature would make email-first login flows seamless and improve UX when multiple passkeys exist on the same device.

Originally created by @slaymed on GitHub (Nov 21, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. Currently, the passkey sign-in flow does not accept an email or any account identifier. Because of this, when a device contains multiple passkeys—each belonging to different accounts—the browser prompts the user to select which passkey to use. This breaks the UX for applications that already collect the user’s email before initiating the WebAuthn request. I have a sign-in form that only asks for an email. When the user enters their email and presses “Continue,” I want to trigger passkey sign-in directly for that specific account, without showing the account selection UI. Since the platform doesn’t receive any hint or identifier, it cannot target the correct passkey even though the user already provided their email. ### Describe the solution you'd like Please add support for passing an email (or any account identifier) to the passkey sign-in function. This would allow the library to perform WebAuthn with an account hint, enabling the browser to skip the account-selection step and directly invoke the correct passkey. This feature is important for apps that use an email-first login flow and want a seamless passkey experience. ### Describe alternatives you've considered Currently, the only alternative is to rely on the browser’s account selection prompt when multiple passkeys exist on a device. This works but results in a poor user experience, especially for email-first login flows, because the user has already provided their email. Another workaround is to maintain a separate mapping of device passkeys to accounts in the backend, but this adds complexity and still cannot fully skip the browser prompt in all cases. ### Additional context WebAuthn supports an “account hint” parameter (often called userHandle or id) in the credential request options, which allows the authenticator to select the correct passkey automatically. Many modern browsers implement this, but without exposing a way to pass the email/account to the library, applications cannot take advantage of it. Adding this feature would make email-first login flows seamless and improve UX when multiple passkeys exist on the same device.

GiteaMirror added the enhancement label 2026-03-13 09:45:37 -05:00

GiteaMirror commented

2026-03-13 09:45:38 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 21, 2025):

(tag @better-auth-agent if you would like an answer from the Agent)

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 21, 2025): (tag @better-auth-agent if you would like an answer from the Agent)  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-03-13 09:45:38 -05:00

@slaymed commented on GitHub (Nov 21, 2025):

@better-auth-agent Could you please check this issue?

@slaymed commented on GitHub (Nov 21, 2025): @better-auth-agent Could you please check this issue?

GiteaMirror commented

2026-03-13 09:45:39 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 21, 2025):

Hi there, thanks for your detailed issue submission on adding an email/account hint to the passkey sign-in flow. We understand that in email-first login flows, being able to pass an account identifier (e.g., an email) to directly target the correct passkey is important to skip the browser’s default account selection, which can break the user experience.

At the moment, our passkey implementation focuses on a standard registration and sign-in flow without input for an account hint. We recognize that WebAuthn supports user hints (sometimes via userHandle or similar parameters), and your request aligns with that approach. Our team is looking into possible solutions to include an option in the passkey sign-in method to accept such an identifier. This would enable bypassing the account selection prompt when a user’s email is already provided. Until we have a complete solution, the recommended workaround is to maintain a mapping on the backend linking passkeys to emails, although we understand this adds complexity.

Would you like to share additional use cases or provide feedback on any interim workaround ideas? Tag @better-auth-agent if you would like an answer from the Agent.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 21, 2025): Hi there, thanks for your detailed issue submission on adding an email/account hint to the passkey sign-in flow. We understand that in email-first login flows, being able to pass an account identifier (e.g., an email) to directly target the correct passkey is important to skip the browser’s default account selection, which can break the user experience. At the moment, our passkey implementation focuses on a standard registration and sign-in flow without input for an account hint. We recognize that WebAuthn supports user hints (sometimes via userHandle or similar parameters), and your request aligns with that approach. Our team is looking into possible solutions to include an option in the passkey sign-in method to accept such an identifier. This would enable bypassing the account selection prompt when a user’s email is already provided. Until we have a complete solution, the recommended workaround is to maintain a mapping on the backend linking passkeys to emails, although we understand this adds complexity. Would you like to share additional use cases or provide feedback on any interim workaround ideas? Tag @better-auth-agent if you would like an answer from the Agent.  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-03-13 09:45:39 -05:00

@dosubot[bot] commented on GitHub (Feb 20, 2026):

Hi, @slaymed. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You requested support for passing an email or account identifier to the passkey sign-in function to enable account hinting in WebAuthn.
This feature aims to improve user experience by bypassing the browser's account selection prompt.
The maintainer acknowledged the importance of this feature and confirmed the current implementation lacks this input.
They are exploring solutions to add this option and suggested a backend mapping workaround as a temporary measure.
No resolution has been reached yet.

Next Steps:

Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
Otherwise, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 20, 2026): Hi, @slaymed. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You requested support for passing an email or account identifier to the passkey sign-in function to enable account hinting in WebAuthn. - This feature aims to improve user experience by bypassing the browser's account selection prompt. - The maintainer acknowledged the importance of this feature and confirmed the current implementation lacks this input. - They are exploring solutions to add this option and suggested a backend mapping workaround as a temporary measure. - No resolution has been reached yet. **Next Steps:** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. - Otherwise, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!

GiteaMirror commented

2026-03-13 09:45:40 -05:00

@slaymed commented on GitHub (Feb 23, 2026):

This issue is still relevant to our use case. We would like to keep it open for further discussion and updates.

@slaymed commented on GitHub (Feb 23, 2026): This issue is still relevant to our use case. We would like to keep it open for further discussion and updates.

GiteaMirror referenced this issue

2026-03-13 11:40:09 -05:00

[PR #2346] [MERGED] feat(organization): support createdAt on invitations #4273

GiteaMirror referenced this issue

2026-04-13 08:26:24 -05:00

[PR #2346] [MERGED] feat(organization): support createdAt on invitations #12520

GiteaMirror referenced this issue

2026-04-15 20:11:20 -05:00

[PR #2346] [MERGED] feat(organization): support createdAt on invitations #21174

GiteaMirror referenced this issue

2026-04-17 21:07:29 -05:00

[PR #2346] [MERGED] feat(organization): support createdAt on invitations #29874

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#2346