Authentication & MFA

Passkeys, trusted devices, and session hardening

Authentication & MFA

Nexus uses four-layer MFA on the enterprise path:

  1. Passkeys (WebAuthn): primary passwordless login
  2. Device trust: known device ring
  3. Behavioral attestation: zero-knowledge session signals
  4. Continuous session scoring: runtime risk adjustment

Passkey registration

POST /api/mfa/passkey/register
POST /api/mfa/passkey/register/verify
POST /api/mfa/passkey/authenticate
POST /api/mfa/passkey/authenticate/verify

Dashboard users complete MFA via /api/auth/mfa-complete when step-up is required.

Session scoring (simplified)

score < 60  → step-up auth required
score < 30  → session lock / re-authenticate

This keeps day-to-day friction low while resisting account takeover.

API platform

Programmatic access uses API keys, not sessions. See API keys. Keys do not bypass tenant scope or policy gates on agent execution.