Security
Enterprise-grade security features including MFA, passkeys, session management, and break glass procedures.
Multi-Factor Authentication
AccessIQ supports multiple MFA methods to match your security requirements:
TOTP
Time-based one-time passwords via authenticator apps
SMS OTP
One-time codes sent via SMS
Email OTP
One-time codes sent via email
Passkeys
FIDO2/WebAuthn passwordless authentication
Passkeys & WebAuthn
Enable passwordless authentication with FIDO2/WebAuthn:
Enable Passkey Registrationtypescript
// Start passkey registration
const response = await fetch('/api/auth/passkey/register', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ userId: session.userId })
})
const options = await response.json()
// Create credential using WebAuthn API
const credential = await navigator.credentials.create({
publicKey: options.publicKey
})
// Verify and store credential
await fetch('/api/auth/passkey/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
credential: serializeCredential(credential)
})
})Supported Authenticators
AccessIQ supports Touch ID, Face ID, Windows Hello, YubiKeys, and other FIDO2-compliant authenticators.
MFA Policies
Configure MFA requirements at the organization or role level:
Configure MFA Policybash
curl -X PUT https://api.accessiq.io/v1/organizations/acme-corp/settings \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"security": {
"requireMfa": true,
"allowedMfaMethods": ["totp", "passkey"],
"mfaGracePeriod": 604800,
"requireMfaForRoles": ["admin", "owner"]
}
}'Session Management
Control user sessions with flexible policies:
Session Settingstypescript
interface SessionSettings {
// Session duration
sessionTimeout: number // Max session duration (seconds)
idleTimeout: number // Inactivity timeout (seconds)
// Concurrent sessions
maxConcurrentSessions: number // Max active sessions per user
singleSessionMode: boolean // Force single session
// Session controls
allowRememberMe: boolean // Enable "Remember me"
rememberMeDuration: number // Extended session duration
// Security
rotateTokenOnRefresh: boolean // Issue new token on refresh
bindToIp: boolean // Bind session to IP address
bindToDevice: boolean // Bind session to device fingerprint
}View Active Sessions
List User Sessionsbash
curl "https://api.accessiq.io/v1/users/user_123/sessions" \
-H "Authorization: Bearer YOUR_API_KEY"
# Response
{
"sessions": [
{
"id": "sess_abc123",
"device": "Chrome on macOS",
"ip": "192.168.1.100",
"location": "San Francisco, CA",
"createdAt": "2024-01-15T10:30:00Z",
"lastActive": "2024-01-15T14:25:00Z",
"current": true
}
]
}Break Glass Procedures
Emergency access procedures with full audit trails:
Request Break Glass Accessbash
curl -X POST https://api.accessiq.io/v1/break-glass \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"userId": "user_123",
"reason": "Production incident - need admin access to investigate",
"duration": 3600,
"permissions": ["admin:read", "logs:read"],
"notifyAdmins": true
}'Audit & Review
All break glass access is logged and requires mandatory review. Access automatically expires after the specified duration.
Trusted Networks
Configure IP-based access restrictions:
Configure Trusted Networksbash
curl -X PUT https://api.accessiq.io/v1/organizations/acme-corp/settings \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"security": {
"trustedNetworks": [
{
"name": "Corporate Office",
"cidr": "203.0.113.0/24",
"skipMfa": true
},
{
"name": "VPN",
"cidr": "10.0.0.0/8",
"skipMfa": false
}
],
"blockUnknownNetworks": false
}
}'