WebAuthn / FIDO2 / Passkeys Authenticator setup stage
This stage configures an authenticator stage for using WebAuthn, FIDO2, Passkeys. This stage supports:
- Security Keys: Physical devices like YubiKey, Google Titan, etc.
- Platform Authenticators: Built-in authenticators like Windows Hello, Touch ID, Face ID
- Mobile Devices: Using device biometrics or security keys via mobile browsers
Options
User verification
Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required.
Resident key requirement
Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring passwordless login, this should be set to either Preferred or Required, otherwise the authenticator cannot be used for passwordless authentication.
Authenticator Attachment
Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
Device type restrictionsauthentik: 2024.4.0+
Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
When no restrictions are selected, all device types are allowed.
As authentik does not know of all possible device types, it is possible to select the special option authentik: Unknown devices to allow unknown devices.