docs(kratos): document passkey advanced configuration options

jhickmanit · jhickmanit · commit 6275bf839e9b · 2026-04-21T08:45:25.000-07:00
Add an 'Advanced configuration' section under the dedicated passkey
strategy that documents:

- authenticator_selection (attachment, require_resident_key, user_verification)
- attestation (preference, allow_none, allow_self, allow_untrusted)
- timeouts (registration, login)

Include a warning admonition explaining that disabling
attestation.allow_none rejects most consumer passkeys, and add a
three-tab example (Ory CLI, Ory Network, self-hosted Kratos) showing
cross-platform attachment with required user verification.
diff --git a/docs/kratos/passwordless/05_passkeys.mdx b/docs/kratos/passwordless/05_passkeys.mdx
@@ -111,6 +111,81 @@ Alternatively, use the Ory CLI to enable the passkey strategy:
 </Tabs>
 ```
 
+### Advanced configuration
+
+The passkey strategy exposes additional options that control the WebAuthn ceremony and post-registration policy. All options are
+optional. Defaults match the behavior before these options were introduced, so existing deployments do not need to change
+anything.
+
+| Option                                         | Type     | Default              | What it controls                                                                                                                          |
+| ---------------------------------------------- | -------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| `authenticator_selection.attachment`           | string   | `"platform"`         | Which authenticators are eligible: `"platform"` (Touch ID, Windows Hello), `"cross-platform"` (security keys), or `""` for no preference. |
+| `authenticator_selection.require_resident_key` | boolean  | `true`               | Whether the authenticator must create a client-side discoverable credential.                                                              |
+| `authenticator_selection.user_verification`    | string   | `"preferred"`        | Whether biometrics or a PIN are required: `"required"`, `"preferred"`, or `"discouraged"`.                                                |
+| `attestation.preference`                       | string   | `"none"`             | Attestation conveyance preference sent to the authenticator: `"none"`, `"indirect"`, `"direct"`, or `"enterprise"`.                       |
+| `attestation.allow_none`                       | boolean  | `true`               | Accept passkeys that provide no attestation statement. Most consumer passkeys, including iOS, use none attestation.                       |
+| `attestation.allow_self`                       | boolean  | `true`               | Accept passkeys that provide a self-signed attestation statement with no external certificate authority.                                  |
+| `attestation.allow_untrusted`                  | boolean  | `true`               | Accept passkeys whose attestation certificate chain has no trusted root.                                                                  |
+| `timeouts.registration`                        | duration | library default (5m) | Timeout for the registration ceremony. Use Go duration format, for example `"60s"` or `"5m"`.                                             |
+| `timeouts.login`                               | duration | library default (5m) | Timeout for the login ceremony. Use Go duration format.                                                                                   |
+
+:::warning
+
+Disabling `attestation.allow_none` rejects most consumer passkeys. iOS does not support attestation at all, and Android and
+Windows support it inconsistently. Only restrict attestation if your deployment requires attested authenticators, such as
+FIDO-certified security keys in a regulated environment. The default configuration allows all attestation types so that any
+standards-compliant passkey can register.
+
+:::
+
+The following example configures cross-platform authenticators (such as a HID token or YubiKey) with required user verification:
+
+```mdx-code-block
+<Tabs>
+  <TabItem value="cli" label="Ory CLI">
+    <CodeBlock language="shell">{`ory patch identity-config <your-project-id> \\
+  --add '/selfservice/methods/passkey/config/authenticator_selection/attachment="cross-platform"' \\
+  --add '/selfservice/methods/passkey/config/authenticator_selection/user_verification="required"'
+`}
+    </CodeBlock>
+  </TabItem>
+  <TabItem value="network" label="Ory Network" default>
+    <CodeBlock language="yaml" title="config.yml">{`selfservice:
+  methods:
+    passkey:
+      enabled: true
+      config:
+        authenticator_selection:
+          attachment: cross-platform
+          user_verification: required`}</CodeBlock>
+  </TabItem>
+  <TabItem value="self-hosted" label="Self-hosted Ory Kratos" default>
+    <CodeBlock language="yaml" title="config.yml">{`selfservice:
+  methods:
+    passkey:
+      enabled: true
+      config:
+        rp:
+          display_name: Your Application name
+          id: localhost
+          origins:
+            - http://localhost:4455
+        authenticator_selection:
+          attachment: cross-platform
+          require_resident_key: true
+          user_verification: required
+        attestation:
+          preference: none
+          allow_none: true
+          allow_self: true
+          allow_untrusted: true
+        timeouts:
+          registration: 5m
+          login: 5m`}</CodeBlock>
+  </TabItem>
+</Tabs>
+```
+
 ### Identity schema
 
 If you want to use a custom identity schema, you must define which field of the identity schema is the display name for the
