Password stage

This is a generic password prompt which authenticates the current pending_user. This stage allows the selection of the source the user is authenticated against.

There are two different ways to configure passwordless authentication; you can follow the instructions here to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.

Depending on what kind of device you want to require the user to have:

WebAuthn

from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
return WebAuthnDevice.objects.filter(user=request.context['pending_user'], confirmed=True).exists()

Duo

from authentik.stages.authenticator_duo.models import DuoDevice
return DuoDevice.objects.filter(user=request.context['pending_user'], confirmed=True).exists()

Afterwards, bind the policy you've created to the stage binding of the password stage.

Make sure to uncheck Evaluate on plan and check Re-evaluate policies, otherwise an invalid result will be cached.

Passwordless login​

WebAuthn​

Duo​

Passwordless login

WebAuthn

Duo