In this video, I walk through how to set up passwordless login in authentik. Documentation: Passwordless Login: goauthentik.io/docs/flow/stag... Passwordless Login (dynamic): goauthentik.io/docs/flow/stag...
Love your tutorials, I've been able to startup authentik within a couple of hours, loving them! Unfortuantely this one does not work for me, my user has a YubiKey 5 NFC as a second factor and it's working like a charm. But when I try the passwordless login, it states (in windows) that this is a unknown key and there is a message in Authentic Error: Error when creating credential: NotAllowedError: The operation either timed out or was not allowed. Did you ever experience something like this and have an idea what to do?
@@cooptonianYes, I did. Today I figured out why it's not working with Yubikey (and probably other hardware keys). In the default-authenticator-webauthn-setup stage Resident key requirement is set to "prefered". By default most keys don't use a resident key if not required. So, if you want to use a hardware key to paswordless login, you have to set the value to "required", and then re register the Key. After that it is working (at least for me).
How do you do this with protonpass? When i try to login with it it doesnt prompt me to create a passkey EDIT: nvm i figured out how to add the passkey, you goto the Passwordless flow you created and click execute flow, this will prompt protonpass to create and store the passkey
Following the guide I could setup a passwordless flow that works fine for logging in Authentik itself. The problem is when trying to access through a different services with the Authentik authentication flow set up through the reverse proxy configuration, I can log in with the passkey but it would send endlessly loop without redirecting to the desired service. Using password /MFA instead works fine. Any idea what could be wrong?
great stuff, i want to ask, i have openvpn server on my pfsense and i want to inmpliment authentik synced with active directory, is it possible to authenticate openvpn against authentik so i can benefit from active directory and webauthn fingerprint for more hardening?
Okay, I feel like I'm close.. but I can not figure out how you were able to customize the authentication options like you have at 0:29. Do you plan on doing a guide on this later, or is this something easy enough to explain? I've created a custom TOTP stage and was able to change the name similar to your "Traditional authenticator", but haven't figured out the icons and/or the subtext for context
I created my own authenticator stage(s), there you can change title/description...also, enroll in whatever MFA options you want to show multiple methods.
I don't know if this will help anyone, maybe it was covered here and I missed it or there is a better way to do this. I couldn't get my Pixel 8 Pro to create a passkey using Firefox as my browser. I had to login to my authentik instance using Chrome, create the webauthn,go through the steps to create the passkey, then I was able to login to my Auth instance using firefox and the webauthn
I dont get asked to choose any device when I click on "use a security key" it only rechages the authentik login page. Do you know what could be wrong? (I've tried it in chrome, edge, firefox and opera) (I did not ever setup any custom 2FA)
...the video mentions in the beginning that it is assumed you have users set up with WebAuthn already set up. So, if you never set 2FA/WebAuthn up I recommend watching that video first
Hello, Thank you for your work. I was wondering, is it possible to go passwordless login into a windows session? here is an exemple : I have an AD with users and I want them to connect to their session passwordless with their yubikey. Do you know if authentik can do that ? Thank you again :)!
Glad the video helps. I would think it possible...if AD is sync'd with authentik, passwordless would just be another auth method for same account. I don't have the setup to test that though.
Really, really thanks for your tutorials! Amazing. I was able to correctly set up two-factor verification with a password. But without a password, I cannot log in. It doesn't ask me to set up a new passkey and it doesn't 'get' the one that works with the password... I've tried creating new ones from the user profile, or deleting them all. Has this problem happened to you on any occasion? Thank you for your invaluable support
You said you correctly set up two-factor? What kind of two factor? Also to set up any other form of MFA you need to log in as that user OR impersonate them from the admin interface go into the users settings > MFA devices and enroll any other additional methods...this is because once you set up a form of MFA the setup wizard no longer prompts you (as you have one set up already)
@@cooptonian Thank you very much for your response and your valuable time. Unfortunately, I am unable to proceed. I deleted the WebAuthn 2-factor authentication (the one that works with password) and tried to create a new one. But once I send the notification to the device (pixel 8) the phone looks inside the google Password Manager (not my password manager) where it finds nothing. At this point Authentik finding no passkey does not propose to find it but returns this error: Error: Error when creating credential: NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. I think it is more of a problem with my phone and passkey management than with Authentik. The curious thing is that webauth correctly finds approval in the password procedure Thank you for your support
If your browser is Chromium based (Chrome/Edge) it should behave the same...unfortunately, I have not tested to know the behaviour of Firefox, Safari, Opera or any other browser... I'd recommend digging into whichever browser's settings you're using and checking to see if you can change security key behavior if possible...
If you've setup new users to be forced to setup 2FA at first login, they would set it up then. If they already have a login and can get in, they would just need to go to their user profile setting and enroll a 2FA (WebAuthn) method. Otherwise, you'd have to temporarily turn of 2FA so they can get in and they can enroll then turn 2FA back on. OR if you have instant contact with the user, impersonate them, screenshot the QR code and securely share that with them to scan to setup their phone. Obviously, the first 2 situations would be ideal To set up any of this WebAuthn stuff, see my other video here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-jCwGTLFABYU.html
Works absolutely perfectly, thanks for the guide! Any idea if there's a way to then remove the password option completely and force the use of a passkey?
