qbflow · Auth policy console

qbflowAuth policy console

Draft UI — named sign-in policies, reusable factor bundles, "what would this employee be asked", audit · Sign-in experience → · app ships Russian; this draft is English for review

Sign-in policies

Factor bundles · mapped to assurance level

Hardware key

Roaming FIDO2 key (YubiKey), attestation. Phishing-resistant.

AAL3

Phishing-resistant

Passkey (Windows Hello / Touch ID), origin-bound. + recovery codes.

AAL2

Standard MFA

Password + TOTP. Legacy fallback, phishable.

AAL2

What would this employee be asked?

Pick an employee — see the resolved factors and which rule wins

Warranty & Sales — Phishing-resistant

Department scope · click factors to change. Server re-validates; the lockout guard blocks a save that would brick everyone.

Name

Report-only mode logs what would be enforced without blocking anyone — roll a stricter policy out safely first.

Audit

Enterprise parity: named policies + reusable bundles (AAL) + what-if/effective-policy + report-only + audit (Okta / Entra / Duo).
Confirm — I build this console + the sign-in experience in React, over the existing backend (TDD).