From 692e75b057b4249d51c583251fd3eaca0f874627 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 2 Dec 2021 15:48:34 +0100 Subject: [PATCH] website/docs: add passwordless docs closes #1863 Signed-off-by: Jens Langhammer --- website/docs/flow/stages/password/index.md | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/website/docs/flow/stages/password/index.md b/website/docs/flow/stages/password/index.md index 14ef089ac..ca411159d 100644 --- a/website/docs/flow/stages/password/index.md +++ b/website/docs/flow/stages/password/index.md @@ -3,3 +3,27 @@ title: Password stage --- This is a generic password prompt which authenticates the current `pending_user`. This stage allows the selection of the source the user is authenticated against. + +## Passwordless login + +To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage. + +Depending on what kind of device you want to require the user to have: + +#### WebAuthn + +```python +from authentik.stages.authenticator_webauthn.models import WebAuthnDevice +return WebAuthnDevice.objects.filter(user=request.user, active=True).exists() +``` + +#### Duo + +```python +from authentik.stages.authenticator_duo.models import DuoDevice +return DuoDevice.objects.filter(user=request.user, active=True).exists() +``` + +Afterwards, bind the policy you've created to the stage binding of the password stage. + +Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached.