Kreo/Docs/Security
Security

Authentication — secure auth with passkeys & MFA

Kreo ships production-grade authentication so you don't have to build it. Passwords are bcrypt-hashed, users can enrol passwordless passkeys (WebAuthn) and TOTP two-factor authentication (MFA), and sessions are signed and managed for you.

Passkeys (WebAuthn)

Let users sign in with a passkey — Face ID, Touch ID or a security key — instead of a password. Passkeys are phishing-resistant and bound to your domain.

Multi-factor authentication (MFA)

Enrol a TOTP authenticator app for a second factor. A half-authenticated challenge token is issued first and only exchanged for a full session once the code checks out.

Brute-force protection

Failed logins feed the same anomaly engine as the API: per-IP and per-account rate limits, plus automatic banning of abusive networks across the whole platform.

Start building — freeAll documentation