Anyone can register a new device when there is no device registered for passwordless login for any user. https://issues.redhat.com/browse/KEYCLOAK-18500
Although this feature of passwordless login using WebAuthn is still in tech preview for RHSSO 7.4.7 but it is there and can be enabled if desired by admin : https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html/server_administration_guide/authentication#webauthn
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2021:3528 https://access.redhat.com/errata/RHSA-2021:3528
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2021:3529 https://access.redhat.com/errata/RHSA-2021:3529
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2021:3527 https://access.redhat.com/errata/RHSA-2021:3527
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.9 Via RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3632