goauthentik · BeryJu · Apr 17, 2024 · Apr 17, 2024
@@ -21,20 +21,23 @@ Using the `Not configured action`, you can choose what happens when a user does
 By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set _Last validation threshold_ to a non-zero value. (Requires authentik 2022.5)
 Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than `seconds=30` cannot be used, as with the way TOTP devices are saved, there is no exact timestamp.
 
-### Less-frequent validation
+### Options
+
+#### Less-frequent validation
 
 :::info
 Requires authentik 2022.5.1
 :::
 
 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
 
-### Passwordless authentication
+#### Passwordless authentication
 
 :::info
 Requires authentik 2021.12.4
 :::
-:::danger
+
+:::caution
 Firefox has some known issues regarding FIDO (see https://bugzilla.mozilla.org/show_bug.cgi?id=1530370) and TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
 :::
 
@@ -48,7 +51,7 @@ As final stage, bind a _User login_ stage.
 
 Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow.
 
-### Logging
+#### Logging
 
 Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
 
@@ -73,7 +76,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
 }
 ```
 
-### `WebAuthn Device type restrictions`
+#### WebAuthn Device type restrictions
 
 :::info
 Requires authentik 2024.4

@@ -4,19 +4,21 @@ title: WebAuthn authenticator setup stage
 
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
 
-### `User verification`
+### Options
+
+#### User verification
 
 Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required.
 
-### `Resident key requirement`
+#### Resident key requirement
 
 Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.md#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
 
-### `Authenticator Attachment`
+#### Authenticator Attachment
 
 Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
 
-### `Device type restrictions`
+#### Device type restrictions
 
 :::info
 Requires authentik 2024.4

@@ -40,10 +40,10 @@ This is because the Source stage works by appending a [dynamic in-memory](../../
 
 ### Options
 
-#### `source`
+#### Source
 
 The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../integrations/sources/oauth/) or [SAML](../../../../integrations/sources/saml/). Sources like [LDAP](../../../../integrations/sources/ldap/) are _not_ compatible.
 
-#### `resume_timeout`
+#### Resume timeout
 
 Because the execution of the current flow is suspended before the user is redirected to the configured source, this option configures how long the suspended flow is saved. If this timeout is exceeded, upon return from the configured source, the suspended flow will restart from the beginning.