diff --git a/docs/kratos/passwordless/05_passkeys.mdx b/docs/kratos/passwordless/05_passkeys.mdx index 6d2dcad5c1..469045f952 100644 --- a/docs/kratos/passwordless/05_passkeys.mdx +++ b/docs/kratos/passwordless/05_passkeys.mdx @@ -111,6 +111,65 @@ Alternatively, use the Ory CLI to enable the passkey strategy: ``` +### Advanced configuration + +The passkey strategy exposes additional options that control the WebAuthn ceremony. All options are optional. Defaults accept +every standards-compliant passkey, so existing deployments do not need to change anything. + +| Option | Type | Default | What it controls | +| ------------------------------------------- | -------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `authenticator_selection.attachment` | string | _unset_ | Restricts eligible authenticators by attachment modality: `"platform"` (Touch ID, Windows Hello) or `"cross-platform"` (HID tokens, YubiKeys). Omit this field to accept either type. | +| `authenticator_selection.resident_key` | string | `"required"` | Whether the authenticator must create a client-side discoverable credential: `"required"`, `"preferred"`, or `"discouraged"`. | +| `authenticator_selection.user_verification` | string | `"preferred"` | Whether biometrics or a PIN are required: `"required"`, `"preferred"`, or `"discouraged"`. | +| `attestation.preference` | string | `"none"` | Attestation conveyance preference sent to the authenticator: `"none"`, `"indirect"`, `"direct"`, or `"enterprise"`. | +| `timeouts.registration` | duration | library default (5m) | Timeout for the registration ceremony. Use Go duration format, for example `"60s"` or `"5m"`. | +| `timeouts.login` | duration | library default (5m) | Timeout for the login ceremony. Use Go duration format. | + +The following example configures cross-platform authenticators (such as a HID token or YubiKey) with required user verification: + +```mdx-code-block + + + {`ory patch identity-config \\ + --add '/selfservice/methods/passkey/config/authenticator_selection/attachment="cross-platform"' \\ + --add '/selfservice/methods/passkey/config/authenticator_selection/user_verification="required"' +`} + + + + {`selfservice: + methods: + passkey: + enabled: true + config: + authenticator_selection: + attachment: cross-platform + user_verification: required`} + + + {`selfservice: + methods: + passkey: + enabled: true + config: + rp: + display_name: Your Application name + id: localhost + origins: + - http://localhost:4455 + authenticator_selection: + attachment: cross-platform + resident_key: required + user_verification: required + attestation: + preference: none + timeouts: + registration: 5m + login: 5m`} + + +``` + ### Identity schema If you want to use a custom identity schema, you must define which field of the identity schema is the display name for the