qbflow · Sign-in (enterprise)

qbflowSign-in · enterprise

Draft UI — phishing-resistant sign-in (passkey), recovery, trusted devices · ← Policy console · app ships Russian; this draft is English for review

Sign-in scenarios

Related screens

Account recovery

Backup codes are issued when you register a key — shown once, stored hashed:

4f2a-91c87d10-3b6ea8c4-22f10e95-7a3d

"Lost my key / phone" → password + a backup code. At least 2 sign-in methods are required, so losing one never locks you out.

Device approval · number-matching

The admin (or your trusted device) sees the same code — blind approval is impossible:

e.nuriev · WarrantyPC · 192.168.2.40 · Moscowtoday 14:32

Never lock everyone out: if no one in scope can pass a required factor, sign-in degrades to password — and that is logged explicitly + shows a banner (never silent). Per person: requiring ≥2 sign-in methods prevents locking out an individual.

Compliance: passkey = phishing-resistant (NIST AAL2/AAL3 · FIDO2, origin-bound) · TOTP = fallback factor · accessible form (WCAG 2.2).
Confirm — I build the backend (WebAuthn RP + recovery codes + throttling) and the React UI (TDD).