Authentication & MFA
Passkeys, trusted devices, and session hardening
Authentication & MFA
Nexus uses four-layer MFA on the enterprise path:
- Passkeys (WebAuthn): primary passwordless login
- Device trust: known device ring
- Behavioral attestation: zero-knowledge session signals
- Continuous session scoring: runtime risk adjustment
Passkey registration
POST /api/mfa/passkey/register
POST /api/mfa/passkey/register/verify
POST /api/mfa/passkey/authenticate
POST /api/mfa/passkey/authenticate/verifyDashboard users complete MFA via /api/auth/mfa-complete when step-up is required.
Session scoring (simplified)
score < 60 → step-up auth required
score < 30 → session lock / re-authenticateThis keeps day-to-day friction low while resisting account takeover.
API platform
Programmatic access uses API keys, not sessions. See API keys. Keys do not bypass tenant scope or policy gates on agent execution.