jsso2 is a passwordless single-sign-on system written in Go and Typescript.
You can run everything locally. Run npm run all, and a server will begin listening on port 4000. (Ignore the output from the various components that start themselves; those ports get proxied to by the server running on port 4000.) Any Typescript/Svelte changes are reflected immediately as you edit the files. Go changes require a restart for the time being. You will also need an envoy binary. I get mine by docker cp-ing the binary out of one of their releases.
Windows remembers every enrollment you've ever done, which can result in confusion when you're trying to log in. You can see a list of your Windows Hello keys by running certutil -csp NGC -key. You should see keys that contain FIDO_AUTHENTICATOR in their names, and these are keys created by Windows Hello. The part after FIDO_AUTHENTICATOR is the Relying Party ID hash and the User ID separated by an underscore. Keys from the dev server will have a Relying Party ID of "localhost", and the sha256sum of "localhost" is 49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763; this should allow you to recognize the keys that you've enrolled while testing. You can then delete them with certutil -csp NGC -delkey <full key> from an Administrator console.