diff --git a/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2 b/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2
index 8f5a5d632..07ae4d939 100644
--- a/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2
+++ b/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2
@@ -6,7 +6,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 {% import "common/sub_schema_values.yaml.j2" as sub_schema_values %}
 enabled: true
-{{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/matrix-authentication-service', tag='1.3.0') }}
+{{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/matrix-authentication-service', tag='1.4.0-rc.1') }}
 
 replicas: 1
 
@@ -59,7 +59,7 @@ syn2mas:
   enabled: false
 
   # Syn2Mas relies on the debug image to copy mas-cli to the matrix-tools container
-  {{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/matrix-authentication-service', tag='1.3.0-debug') | indent(2) }}
+  {{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/matrix-authentication-service', tag='1.4.0-rc.1-debug') | indent(2) }}
   {{- sub_schema_values.labels() | indent(2) -}}
   {{- sub_schema_values.workloadAnnotations() | indent(2) -}}
   {{- sub_schema_values.containersSecurityContext() | indent(2) -}}
diff --git a/charts/matrix-stack/values.yaml b/charts/matrix-stack/values.yaml
index 468515593..059b7bac2 100644
--- a/charts/matrix-stack/values.yaml
+++ b/charts/matrix-stack/values.yaml
@@ -1623,7 +1623,7 @@ matrixAuthenticationService:
 
     ## The tag of the container image to use.
     ## One of tag or digest must be provided.
-    tag: "1.3.0"
+    tag: "1.4.0-rc.1"
 
     ## Container digest to use. Used to pull the image instead of the image tag if set
     ## The tag will still be set as the app.kubernetes.io/version label
@@ -2029,7 +2029,7 @@ matrixAuthenticationService:
 
       ## The tag of the container image to use.
       ## One of tag or digest must be provided.
-      tag: "1.3.0-debug"
+      tag: "1.4.0-rc.1-debug"
 
       ## Container digest to use. Used to pull the image instead of the image tag if set
       ## The tag will still be set as the app.kubernetes.io/version label
diff --git a/docs/advanced.md b/docs/advanced.md
index dadcbd25c..04e220a41 100644
--- a/docs/advanced.md
+++ b/docs/advanced.md
@@ -124,6 +124,22 @@ matrixAuthenticationService:
         some: settings
 ```
 
+While Matrix Authentication Service supports registration tokens, by default they still require users to validate an email address as part of the registration flow. To remove this requirement you can do:
+
+```yml
+matrixAuthenticationService:
+  additional:
+    auth.yaml:
+      config: |
+        account:
+          password_registration_enabled: true
+          registration_token_required: true
+          password_registration_email_required: false
+          password_change_allowed: true
+```
+
+`account.password_registration_email_required` must **never** be set to `false` on a publicly federating deployment without restrictions like `registration_token_required: true` or your deployment will be abused and become a source of spam.
+
 ### Configuring Matrix RTC
 
 Matrix RTC SFU configuration is written in YAML. The documentation can be found [here](https://docs.livekit.io/home/self-hosting/deployment/).
diff --git a/newsfragments/787.changed.md b/newsfragments/787.changed.md
new file mode 100644
index 000000000..a30edc16a
--- /dev/null
+++ b/newsfragments/787.changed.md
@@ -0,0 +1,8 @@
+Update Matrix Authentication Service to v1.4.0.
+
+Highlights:
+* Make it possible to allow password registration without email verification.
+* Add Admin API to finish individual sessions.
+
+Full Changelogs:
+* [v1.4.0](https://github.com/element-hq/matrix-authentication-service/releases/tag/v1.4.0)