Skip to main content

Authenticator validation stage

This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:

You can select which type of device classes are allowed.

Using the Not configured action, you can choose what happens when a user does not have any matching devices.

  • Skip: Validation is skipped and the flow continues
  • Deny: Access is denied, the flow execution ends
  • Configure: This option requires a Configuration stage to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.

By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set Last validation threshold to a non-zero value. (Requires authentik 2022.5) Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than seconds=30 cannot be used, as with the way TOTP devices are saved, there is no exact timestamp.

Options

Less-frequent validation authentik 2022.5.1+

You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set Last validation threshold to any non-zero value. Any of the users devices within the selected classes are checked.

Passwordless authentication authentik 2021.12.4+

caution

Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)

Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics. For an alternate passwordless setup, see Password stage, which supports other types.

To configure passwordless authentication, create a new Flow with the designation set to Authentication.

As first stage, add an Authenticator validation stage, with the WebAuthn device class allowed. After this stage you can bind any additional verification stages. As final stage, bind a User login stage.

Users can either access this flow directly via its URL, or you can modify any Identification stage's Passwordless flow setting to add a direct link to this flow.

Logging

Logins which used Passwordless authentication have the auth_method context variable set to auth_webauthn_pwl, and the device used is saved in the arguments. Example:

{
"auth_method": "auth_webauthn_pwl",
"http_request": {
"args": {
"query": ""
},
"path": "/api/v3/flows/executor/test/",
"method": "GET"
},
"auth_method_args": {
"device": {
"pk": 1,
"app": "authentik_stages_authenticator_webauthn",
"name": "test device",
"model_name": "webauthndevice"
}
}
}

WebAuthn Device type restrictions authentik 2024.4+

Optionally restrict which WebAuthn device types can be used to authenticate.

When no restriction is set, all WebAuthn devices a user has registered are allowed.

These restrictions only apply to WebAuthn devices created with authentik 2024.4 or later.