Alternative Authentication Methods

(% match primary_state %) (% when CUCredState::Modifiable %) If possible, passkeys should be used instead, as they are phishing and exploit resistant. (% when CUCredState::DeleteOnly %) If possible, passkeys should be used instead, as they are phishing and exploit resistant.
Account policy prevents you modifying these credentials, but you may remove them. (% when CUCredState::AccessDeny %) You do not have access to modify these credentials. (% when CUCredState::PolicyDeny %) Account policy prevents you from setting these credentials (% endmatch %)

(% if matches!(primary_state, CUCredState::Modifiable) %)
(% match primary %) (% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::Password }) %)
Password
Time-based One Time Password (TOTP)

TOTPs are 6 digit codes generated on-demand as a second authentication factor.

(% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::PasswordMfa(totp_set, _security_key_labels, _backup_codes_remaining)}) %)
Password
Time-based One Time Password (TOTP)

TOTPs are 6 digit codes generated on-demand as a second authentication factor.

Registered authenticators:

    (% for totp in totp_set %)
  • (( totp ))
    • (% endfor %)
(% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::GeneratedPassword }) %)
Password

In order to set up alternative authentication methods, you must delete the generated password.

(% when Some(CredentialDetail { uuid, type_: kanidm_proto::internal::CredentialDetailType::Passkey(_) }) %)

Webauthn Only - Will migrate to passkeys in a future update

(% when None %)
(% endmatch %)
(% else if matches!(primary_state, CUCredState::DeleteOnly) %)
(% endif %)