Skip to main content

WebAuthn authenticator setup stage

This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.


User verification

Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required.

Resident key requirement

Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring passwordless login, this should be set to either Preferred or Required, otherwise the authenticator cannot be used for passwordless authentication.

Authenticator Attachment

Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.

Device type restrictions


Requires authentik 2024.4

Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.

When no restrictions are selected, all device types are allowed.

As authentik does not know of all possible device types, it is possible to select the special option authentik: Unknown devices to allow unknown devices.