diff --git a/website/docs/flow/stages/authenticator_validate/index.md b/website/docs/flow/stages/authenticator_validate/index.md index 6620db378b83..d9b8a5e4f723 100644 --- a/website/docs/flow/stages/authenticator_validate/index.md +++ b/website/docs/flow/stages/authenticator_validate/index.md @@ -21,7 +21,9 @@ Using the `Not configured action`, you can choose what happens when a user does By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set _Last validation threshold_ to a non-zero value. (Requires authentik 2022.5) Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than `seconds=30` cannot be used, as with the way TOTP devices are saved, there is no exact timestamp. -### Less-frequent validation +### Options + +#### Less-frequent validation :::info Requires authentik 2022.5.1 @@ -29,12 +31,13 @@ Requires authentik 2022.5.1 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked. -### Passwordless authentication +#### Passwordless authentication :::info Requires authentik 2021.12.4 ::: -:::danger + +:::caution Firefox has some known issues regarding FIDO (see https://bugzilla.mozilla.org/show_bug.cgi?id=1530370) and TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482) ::: @@ -48,7 +51,7 @@ As final stage, bind a _User login_ stage. Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow. -### Logging +#### Logging Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: @@ -73,7 +76,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var } ``` -### `WebAuthn Device type restrictions` +#### WebAuthn Device type restrictions :::info Requires authentik 2024.4 diff --git a/website/docs/flow/stages/authenticator_webauthn/index.md b/website/docs/flow/stages/authenticator_webauthn/index.md index 538fd5b4024d..b2717145d74a 100644 --- a/website/docs/flow/stages/authenticator_webauthn/index.md +++ b/website/docs/flow/stages/authenticator_webauthn/index.md @@ -4,19 +4,21 @@ title: WebAuthn authenticator setup stage This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey. -### `User verification` +### Options + +#### User verification Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required. -### `Resident key requirement` +#### Resident key requirement Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.md#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication. -### `Authenticator Attachment` +#### Authenticator Attachment Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement. -### `Device type restrictions` +#### Device type restrictions :::info Requires authentik 2024.4 diff --git a/website/docs/flow/stages/source/index.md b/website/docs/flow/stages/source/index.md index 5c49c69aac84..ce703868fcaf 100644 --- a/website/docs/flow/stages/source/index.md +++ b/website/docs/flow/stages/source/index.md @@ -40,10 +40,10 @@ This is because the Source stage works by appending a [dynamic in-memory](../../ ### Options -#### `source` +#### Source The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../integrations/sources/oauth/) or [SAML](../../../../integrations/sources/saml/). Sources like [LDAP](../../../../integrations/sources/ldap/) are _not_ compatible. -#### `resume_timeout` +#### Resume timeout Because the execution of the current flow is suspended before the user is redirected to the configured source, this option configures how long the suspended flow is saved. If this timeout is exceeded, upon return from the configured source, the suspended flow will restart from the beginning.