website/docs: add passwordless docs
closes #1863 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
02771683a6
commit
692e75b057
|
@ -3,3 +3,27 @@ title: Password stage
|
||||||
---
|
---
|
||||||
|
|
||||||
This is a generic password prompt which authenticates the current `pending_user`. This stage allows the selection of the source the user is authenticated against.
|
This is a generic password prompt which authenticates the current `pending_user`. This stage allows the selection of the source the user is authenticated against.
|
||||||
|
|
||||||
|
## Passwordless login
|
||||||
|
|
||||||
|
To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage.
|
||||||
|
|
||||||
|
Depending on what kind of device you want to require the user to have:
|
||||||
|
|
||||||
|
#### WebAuthn
|
||||||
|
|
||||||
|
```python
|
||||||
|
from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
|
||||||
|
return WebAuthnDevice.objects.filter(user=request.user, active=True).exists()
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Duo
|
||||||
|
|
||||||
|
```python
|
||||||
|
from authentik.stages.authenticator_duo.models import DuoDevice
|
||||||
|
return DuoDevice.objects.filter(user=request.user, active=True).exists()
|
||||||
|
```
|
||||||
|
|
||||||
|
Afterwards, bind the policy you've created to the stage binding of the password stage.
|
||||||
|
|
||||||
|
Make sure to uncheck *Evaluate on plan* and check *Re-evaluate policies*, otherwise an invalid result will be cached.
|
||||||
|
|
Reference in New Issue