Skip to content

feat: document DeviceAuthn #2447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
gaultier wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

feat: document DeviceAuthn #2447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dd08a71
wip docs
gaultier Mar 5, 2026
d895490
fix sidebar
gaultier Mar 5, 2026
fa62a46
[wip]
gaultier Mar 5, 2026
726fcb8
docs
gaultier Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/kratos/concepts/credentials.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Ory Kratos supports several credential types:
- `webauthn`: The same technology as Passkeys used as a second factor.
- `totp`: Time-based one-time passwords generated by authenticator apps, used as a second factor.
- `lookup_secret`: One-time codes used as a recovery mechanism for 2FA when the primary second factor is unavailable.
- `deviceauthn`: Passwordless authentication where the private key is hardware-resident on the user's device.

Each credential - regardless of its type - has one or more identifiers attached to it. Each identifier is universally unique.
Assuming we had one identity with credentials
Expand Down
6 changes: 5 additions & 1 deletion docs/kratos/mfa/01_overview.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Nowadays, many of the passwords in use can be easily compromised because:
- They are considered "weak" because they are short, have obvious, derivable patterns, or contain easy-to-guess character strings.

By enabling two-factor authentication in your project, you introduce an additional verification step that can protect user login
or self-service actions, such as updating account information or credentials, from malicious actors.
or self-service actions, such as updating account information or credentials, from malicious actors.
For example, you might decide to require a user to log in with two factors right at the start of the session. Alternatively, you
could allow the user to start the session by logging in with the first factor and only require the second factor at the point
where the user is about to perform a security-sensitive operation. Read more about dynamic MFA in the
Expand Down Expand Up @@ -48,6 +48,10 @@ authentication method. They can be used to complete the second factor when users
SMS for MFA sends a one-time password to the user's registered mobile phone number via text message. Read the
[Code via SMS](../../../docs/kratos/mfa/mfa-via-sms) documentation to learn more.

### Device binding

Passwordless authentication where the private key is hardware-resident on the user's device. Read the [Device binding](../passwordless/08_deviceauthn.mdx) documentation to learn more.

## Terminology

Learn more about the terms and concepts used when talking about 2FA in Ory.
Expand Down
Loading
Loading