Not all types of authenticators offer the same level of security. For example, authentication via email magic link is less secure than using a passkey or authenticator app.

With this in mind, you might want force your users to use only their most secure authenticators for particularly sensitive actions e.g. changing their password.

Set up

To achieve this behavior, you can go to the Settings of your desired action and choose which authenticators you want to permit for completing challenges.

This action will only allow users to complete a challenge with a passkey or authenticator app.

The pre-built UI will automatically hide any authenticators that are not permitted for the action.

What happens if a user doesn’t have one of the permitted authenticators?

If a user doesn’t have any of the permitted authenticators, then the pre-built UI will allow them to use their default authenticator to complete the challenge.

Overriding permitted authenticators with rules

In some advanced scenarios, you might want to override the permitted authenticators more granularly when a specific rule is triggered. When editing a rule, you will see an Advanced settings section where you can configure permitted authenticators. If this rule is triggered, then the challenge can only be completed using the permitted authenticators.