---

Alternative Authentication Methods

(% match primary_state %) (% when CUCredState::Modifiable %) If possible, passkeys should be used instead, as they are phishing and exploit resistant. (% when CUCredState::DeleteOnly %) If possible, passkeys should be used instead, as they are phishing and exploit resistant.
Account policy prevents you modifying these credentials, but you may remove them. (% when CUCredState::AccessDeny %) You do not have access to modify these credentials. (% when CUCredState::PolicyDeny %) Account policy prevents you from setting these credentials (% endmatch %)

(% if matches!(primary_state, CUCredState::Modifiable) %) (% match primary %) (% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::Password }) %)

Password

Change Password

Time-based One Time Password (TOTP)

TOTPs are 6 digit codes generated on-demand as a second authentication factor.

Add TOTP

Delete Alternative Credentials

(% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::PasswordMfa(totp_set, _security_key_labels, _backup_codes_remaining)}) %)

Password

Change Password

Time-based One Time Password (TOTP)

TOTPs are 6 digit codes generated on-demand as a second authentication factor.

(% for totp in totp_set %) Remove totp (( totp )) (% endfor %)

Add TOTP

Delete Alternative Credentials

(% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::GeneratedPassword }) %)

Password

In order to set up alternative authentication methods, you must delete the generated password.

Delete Generated Password (% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::Passkey(_) }) %)

Webauthn Only - Will migrate to passkeys in a future update

Delete Alternative Credentials (% when None %) Add Password (% endmatch %) (% else if matches!(primary_state, CUCredState::DeleteOnly) %)

Delete Legacy Credentials

(% endif %)