Password stage

This is a generic password prompt which authenticates the current pending_user. This stage allows the selection of the source the user is authenticated against.

To achieve a "passwordless" experience; authenticating users based only on TOTP/WebAuthn/Duo, create an expression policy and optionally skip the password stage.

Depending on what kind of device you want to require the user to have:

WebAuthn

from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
return WebAuthnDevice.objects.filter(user=request.user, confirmed=True).exists()

Duo

from authentik.stages.authenticator_duo.models import DuoDevice
return DuoDevice.objects.filter(user=request.user, confirmed=True).exists()

Afterwards, bind the policy you've created to the stage binding of the password stage.

Make sure to uncheck Evaluate on plan and check Re-evaluate policies, otherwise an invalid result will be cached.

Passwordless login​

WebAuthn​

Duo​

Passwordless login

WebAuthn

Duo