Securely enroll webauthn device

[Oneel77]

Hi everyone,
What is the recommended way to securely enroll WebAuthn devices in Authentik to enable passwordless authentication for already existing ldap users, without exposing only the traditional password login page at any moment?
Additionally, how can we restrict this enrollment process to a specific group of users only?

Thanks in advance!

[ImmanuelVonNeumann]

without exposing only the traditional password login page at any moment?

Unless an administrator pre-configures said 2FA device there is no easy way to facilitate this and it is not customary to do so unless in an incredibly highly restricted environment.

The easier alternative is to force users to register a WebAuthn device as soon as possible.
To facilitate this just add an Authenticator Validation Stage to your authorization- (or even authentication-) flow with Not configured action set to Force the user to configure an authenticator.

You can even write a flow with an expression policy so it only requires the 2FA setup for certain users (f.e. those with high privileges).
(To do this, only enter the previously mentioned Authenticator Validation Stage if the user meets your conditions.

If you really do need to have every user registered with a WebAuthn device instantly I suggest restricting login using an expression policy to users that have a device enrolled. This way an authentik administrator could add an authenticator by impersonating the user through authentik's built-in impersonation feature and add their authenticator.

[Oneel77]

Thank you, it makes sense.
I also think about invitation in the enrolment flow to ensure it is the right user that enrol a webauthn device.