From 7086f7a126480f31b7519b0aa293204e30e53ed4 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Tue, 13 Aug 2024 11:59:54 -0300
Subject: [PATCH] Document passkey "upgrade" behavior (#45254)

* Document passkey "upgrade" behavior

* Grammar/capitalization

Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>

---------

Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---
 .../access-controls/guides/passwordless.mdx           | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
index f6e58d4605d79..ee373a1215fdd 100644
--- a/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
+++ b/docs/pages/admin-guides/access-controls/guides/passwordless.mdx
@@ -333,3 +333,14 @@ $ tctl create -f cap.yaml
 
 </Tabs>
 
+### Why did my multi-factor authentication (MFA) device become a passkey?
+
+If your MFA authenticator suddenly started being listed as a passkey, that is
+because it was always a passkey. Certain devices or applications (like Chrome or
+Safari Touch ID keys) are always created as passkeys, despite instructions from
+Teleport.
+
+If an authenticator replies with the [credProps extension](
+https://w3c.github.io/webauthn/#sctn-authenticator-credential-properties-extension)
+during registration, or is used for a successful passwordless login, Teleport
+will automatically mark it as a passkey if that wasn't the case before.