diff --git a/website/docs/flow/stages/password/index.md b/website/docs/flow/stages/password/index.md
index 14ef089ac..ca411159d 100644
--- a/website/docs/flow/stages/password/index.md
+++ b/website/docs/flow/stages/password/index.md
@@ -3,3 +3,27 @@ title: Password stage
 ---
 
 This is a generic password prompt which authenticates the current `pending_user`. This stage allows the selection of the source the user is authenticated against.
+
+## Passwordless login
+
+To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy  and optionally skip the password stage.
+
+Depending on what kind of device you want to require the user to have:
+
+#### WebAuthn
+
+```python
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
+return WebAuthnDevice.objects.filter(user=request.user, active=True).exists()
+```
+
+#### Duo
+
+```python
+from authentik.stages.authenticator_duo.models import DuoDevice
+return DuoDevice.objects.filter(user=request.user, active=True).exists()
+```
+
+Afterwards, bind the policy you've created to the stage binding of the password stage.
+
+Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached.