Boringly secure authentication for your application

Early alpha. Available for a few selected test sites only.

Public roadmap:

• [x] Privacy-focussed: no tracking, no third-party cookies, we will never sell any data.
• [x] Standard OAuth2 login flow with PKCE.
• [ ] Front-channel login for SPAs without a backend.
• [x] Email, Password + Webauthn (FIDO2, Passkey).
• [x] Add and manage multiple factors.
• [x] Verified email address required for sign up.
• [x] OIDC compliant ID token post-login.
• [ ] Password recovery flow.
• [x] Backup codes for MFA reset.
• [-] Standard security features
  • [ ] Impossible travel detection.
  • [ ] Brute force detection
  • [ ] Bot detection
  • [ ] Suspicious IP throttling
  • [ ] Breached password detection
  • [-] Allow login per client based on:
    • [ ] IP address
    • [ ] Country
    • [x] Email domain
• [-] Federated profile information, available via user-info.
  • [x] Email and name
  • [ ] Phone number
  • [ ] Shipping address
  • [ ] Profile picture
  • [ ] Preferred username
  • [ ] Preferred timezone
• [ ] "Change your details" before redirection to update profile.
• [ ] Signed JWTs for stateless authorisation.
• [ ] Refresh tokens to retrieve new short lived access token.