Authenticator Validation Stage

This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:

• Duo authenticator stage
• SMS authenticator stage.
• Static authenticator stage.
• TOTP authenticator stage
• WebAuth authenticator stage.

You can select which type of device classes are allowed.

Using the Not configured action, you can choose what happens when a user does not have any matching devices.

• Skip: Validation is skipped and the flow continues
• Deny: Access is denied, the flow execution ends
• Configure: This option requires a Configuration stage to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.

Passwordless authentication

info

Requires authentik 2021.12.4

Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics.

To configure passwordless authentication, create a new Flow with the delegation set to Authentication.

As first stage, add an Authentication validation stage, with the WebAuthn device class allowed. After this stage you can bind any additional verification stages. As final stage, bind a User login stage.

Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.

Logging

Logins which used Passwordless authentication have the auth_method context variable set to auth_webauthn_pwl, and the device used is saved in the arguments. Example:

{
    "auth_method": "auth_webauthn_pwl",
    "http_request": {
        "args": {
            "query": ""
        },
        "path": "/api/v3/flows/executor/test/",
        "method": "GET"
    },
    "auth_method_args": {
        "device": {
            "pk": 1,
            "app": "authentik_stages_authenticator_webauthn",
            "name": "test device",
            "model_name": "webauthndevice"
        }
    }
}