Security
Authentication — secure auth with passkeys & MFA
Kreo ships production-grade authentication so you don't have to build it. Passwords are bcrypt-hashed, users can enrol passwordless passkeys (WebAuthn) and TOTP two-factor authentication (MFA), and sessions are signed and managed for you.
Passkeys (WebAuthn)
Let users sign in with a passkey — Face ID, Touch ID or a security key — instead of a password. Passkeys are phishing-resistant and bound to your domain.
Multi-factor authentication (MFA)
Enrol a TOTP authenticator app for a second factor. A half-authenticated challenge token is issued first and only exchanged for a full session once the code checks out.
Brute-force protection
Failed logins feed the same anomaly engine as the API: per-IP and per-account rate limits, plus automatic banning of abusive networks across the whole platform.