Thanks, very useful indeed! I love your content, please keep it up. Learned so much about Authentik thanks to you, while it's rather difficult to set it up without prior knowledge.
...you're welcome and thanks, I felt the same starting and wished videos like these existed for visual learners as the documentation may not provide the clearest details...
On my home PC this works fine, but my work PC I only get "Windows Security - Insert your security key" prompt rather than the "Verify Your Identity" One from Chrome. I can Use my Yubikey and it works, but I am unable to use my Pixel phone, or choose any other MFA method.
Just found your channel, definitely a subscriber now!! Wondering if you've tried creating a full passwordless login flow yet? I've been trying and not getting there. I was able to create the MFA with passkey (webauth) but not one that would only ask for the passkey without asking anything else. If you could shine a light on that I'd be eternally grateful!
Thanks, I appreciate it. I haven't attempted passwordless yet... I think it would at least still need to ask for the user though to know what permissions to give to who... So I think username and passkey may be possible, bypassing the password...again, haven't tried...yet.
I assume, you are using the native safari browser, try downloading the chrome browser and see if that works...some browsers are not completely compatible with WebAuthn.
When logging on at a PC, the prompt notification isn't automatically sent to and received by an iOS device. To initiate, the QR code must always be scanned first, after which, the passkey is sent upon face recognition. Would you know if this is a limitation?
...I tested something like this out for a user in the discord. I have a personal phone (Pixel 8 Pro) and a work phone (iPhone 8). My Pixel immediately receives a prompt for biometrics to authenticate and like you, with my iPhone I have to scan a QR code first, then I get the prompt...so not really sure on that.
Is there a way to use both TOTP and WebAuth for the same user? For example, if you can't login with WebAuth (Firefox users) just choose TOTP? Apparently the one that you setup first becomes the default for that user
...yes...the user would have to log in, click on their settings (gear icon), click "MFA Devices", and enroll whatever MFA methods they want to use... Then, when the user logs in a list of all the MFA methods they enrolled will be shown and they merely have to pick. A suggestion would be to make your MFA setup flow include setting static recovery tokens.
@@cooptonian omg I was so focused on Admin Interface that I forgot that there is one for the user lol, now it's working perfectly, thank you! I also setted up Recovery Tokens for my user (takes a while to login with that but it's the last resource anyway).
For me, the "Windows Security - Insert your security key" prompt is coming up, and when i click cancel on that, then i get a browser prompt with 2 options, "One to use external security key, which takes me back to previous windows security", and "other to login with qr code". I dont see my phone listed as you did. I have successfullt enrolled my phone by logging in via my phone and adding it as a security key. I am using edge on pc.
...you can log in as the affected user (or with the admin account if you can't log in as the user) and remove the device from your MFA enrolled devices and re-enroll from that same menu. Also, did you select the correct option on the phone as I did, the option to "Use this device with screen lock" and not one of the other options that have "security key" in the choice (01:39)? Also, another user asked the same thing and I suggested trying another browser and that worked for him...he was using Edge browser (I use Chrome)
@@cooptonian Interesting. I use Firefox and was having the same problem. But, then I tried Chrome like you said and I was prompted to scan an code with my phone. (Android 12 os). After grating permissions on my phone it asked me for my thump print. To bad is doesn't work with FF. 😞 Also - is there a way to add self hosted apps that I have in the cloud to my list of apps? i.e. AWS or GCP??
...yeah, unfortunately all browsers don't work I suppose. If you are using Nginx Proxy Manager as I am, then I don't see why not...instead of regular proxy hosts, you'd probably use redirect hosts...
@@ChrisDePasqualeNJ Yea I'm getting the same issue with an iPhone. Just has a QR code option every time. Wouldn't be surprised if iOS didn't allow notifications for webauthn requests like Android though. I'm sure it would work in Safari on MacOS without having to scan the code every time.
@@cooptonian this does not work anymore, i deleted all mfa devices and tried multiple times, the biometric promp on phone give only option to log in with the biometrics and remember the device and thats it, it will work but i always get the stupid "insert USB key" prompt first, when i cancel it then it asks for biometrics. which is hella annoying. any fix for it?
Yes...initially when a user is forced to set one up only the one can be set up (because it detects a method is already set up after that). The user would then log into their account settings and register any other method they want.
is it possible to do this as passkey to replace entering passwords? e.g. you just use finger print to verify on smartphone. no need to type in any passwords.
If you mean to ask the user to enter either/or when logging in...then, yes. If you mean to ask the user to use one AND another...no. To have a choice of more than one the user would need to go into their profile and register another method (if you've set up, allowed for different methods)
@@cooptonian I was hoping you could configure Authentik to force the user to satisfy multiple levels of authentication (MFA) simultaneously and not either one or the other. After all, what's the point of configuring Webauthn authentication if you can only log in via TOTP anyway and vice versa.
...in that case you can maybe create 2 different/separate authentication stages and create a policy to proceed to the 2nd authentication if the first passes... May need to ask in the discord for specifics...
...if I understand correctly the SMS method would be an OTP method as opposed to the time-based ones from an authenticator app like Google Authenticator or Microsoft Authenticator
When I try this I can get it to work when I login from my phone. If I try to login from my computer on chrome I can get the popup to authenticate with my phone, but then I just get "connecting with your device" on my phone screen and it just times out.
...what phone? iPhone, Android? At least for me, my Pixel works flawlessly when it is chosen...when i choose my other phone (iPhone) I am first prompted to scan QR code then I get a prompt on my iphone to confirm biometrics. I think this has to do with Pixel being the primary/only device authenticated with Chrome as a passkey...not sure (not sure if you're in the discord, however, someone was having issues themselves and I posted a quick video for them to compare against in the support channel title: WebAuthn MFA not working on windows but works on android)
@@cooptonian S23 ultra. I can login using my phone fingerprint when using the chrome or firefox app on my phone. If I want to login on my computer, it works using chrome, but not firefox.
That is the nice thing about authentik, you don't need to build that functionality yourself...just put your app behind authentik (proxy it) and use the built-in MFA options.
Hi! When I log in in my mobile and I select the option to default-authentication-Webauth-setup it just give me an error: "Error creating credential: TypeError: undefined is not an object (evaluating 'navigator.credentials.create') (Using Chrome Browser in iOS)
...I am not sure, but I would try to enroll from a PC's browser, and when prompted to scan, scan with your phone to associate your phone as a passkey. After that, any security key login will prompt for your biometrics on the device you registered/scanned with.
Please Help me, i want configure my Hardware Yubikey but it does not work :( please could you make a video on how to configure yubikey device with authentik on windows 10
I was already able to configure yubikey with authentik but there is a detail, this only lets you enter if you have entered a username and password but the idea is not to enter that data I would like it to only be yubikey but it gives an error, any ideas?
see my other video on Passwordless login: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-aEpT2fYGwLw.html I don't have a Yubikey myself to test and confirm...but if it works like the other WebAuthn devices, you would just need to click on the "Use a security key" option to login...