Mention WebAuthn in the docs

docs/installation-and-operations/configuration/README.md

@@ -424,7 +424,7 @@ OPENPROJECT_OVERRIDE__BCRYPT__COST__FACTOR="16"
 
 ## Database configuration and SSL
 
-Please see [this separate guide](./database/) on how to set a custom database connection string and optionally, require SSL/TTLS verification. 
+Please see [this separate guide](./database/) on how to set a custom database connection string and optionally, require SSL/TTLS verification.
 
 ## disable password login
 
@@ -589,7 +589,7 @@ You can optionally enable additional rules on API rate limiting as follows:
 
 `OPENPROJECT_RATE_LIMITING_API__V3=true`
 
-Additional application-level rate limiting rules will be added in the future. Additionally to these application level rules, use your load balancer / proxying web server to apply individual rate limiting rules using modules such as `ngx_http_limit_req_module` or `mod_security`. 
+Additional application-level rate limiting rules will be added in the future. Additionally to these application level rules, use your load balancer / proxying web server to apply individual rate limiting rules using modules such as `ngx_http_limit_req_module` or `mod_security`.
 
 ### Blacklisted routes
 
@@ -758,7 +758,7 @@ OPENPROJECT_2FA_ENFORCED="true"
 
 **Setting available strategies**
 
-By default, the TOTP strategy for phone authenticator apps is active.
+By default, the TOTP and WebAuthn strategie are active.
 
 If you have a [MessageBird account](https://www.messagebird.com/), you can setup a SMS 2FA by activating that strategy like so:
 

docs/security-and-privacy/statement-on-security/README.md

@@ -80,7 +80,7 @@ Admins can set a specific session duration in the system administration, so that
 
 ### Two-factor authentication
 
-Secure your authentication mechanisms with a second factor by TOTP standard (or SMS, depending on your instance) to be entered by users upon logging in.
+Secure your authentication mechanisms with a second factor by TOTP and WebAuthn standards (or SMS, depending on your instance) to be provided by users upon logging in.
 
 ### Security badge
 

docs/system-admin-guide/authentication/two-factor-authentication/README.md

@@ -36,8 +36,14 @@ By default, the allowed clock skew (difference in seconds between client and ser
 If you are trying to register a new device and keep getting failures even though the code appears correct,
 time drift between the device and the server is most likely the reason for it.
 
+## Basic 2FA using WebAuthn
+
+[WebAuthn](https://www.w3.org/TR/2019/REC-webauthn-1-20190304/) is a W3C standard for authentication on the web. It uses private-public key cryptography to verify the users identity. The private key is either secured on a hardware token or within the browser or a password manager.
+
+WebAuthn is supported by most modern browsers and is therefore enabled by default in OpenProject when 2FA is enabled.
+
 ## Advanced 2FA using MessageBird, Amazon SNS
 
-At the moment the advanced settings for improved security are only reachable on the by defining [configuration variables](../../../installation-and-operations/configuration/).
+At the moment the advanced settings for improved security are only reachable by defining [configuration variables](../../../installation-and-operations/configuration/).
 
-The how to is explained in the  configuration is explained in the [Two-factor authentication](../../../installation-and-operations/configuration/#two-factor-authentication) paragraph.
+Those methods are explained in the [Two-factor authentication](../../../installation-and-operations/configuration/#two-factor-authentication) paragraph.