9 security layers
Security is not a feature.
It's the foundation.
Your users' identities are the most valuable thing in your stack. Every layer of AuthFI is built to protect them.
Every Request
Security at every layer
AuthFI doesn't bolt on security. It's built into every request, every token, every connection.
Every request through AuthFI:
1. PASSWORD Checked against breached database (HIBP) on register + reset
2. LOGIN Brute force protection — max 5 attempts, 30min lockout (configurable)
3. MFA TOTP challenge — enforced per tenant, per org, or per route
4. TOKEN Signed with per-tenant RSA keypair — not shared, not reused
5. REFRESH Token rotation — family detection blocks reuse attacks
6. SDK JWKS cached, signature verified on every API call
7. eBPF Kernel validates JWT before request reaches your app (~45μs)
8. CLOUD MFA + IP + time conditions checked before issuing cloud creds
9. AUDIT Every decision logged — who, what, when, from where, allow/deny
Built-in Protections
Every tenant gets these. No configuration needed.
Per-tenant RSA keypairs
Every tenant gets its own RSA keypair for JWT signing. Compromise of one tenant's keys doesn't affect others.
Breached password detection
Every password checked against Have I Been Pwned on registration and reset. Compromised passwords blocked.
Brute force protection
Configurable per tenant and org. Default: 5 failed attempts → 30 min lockout. Every attempt logged.
Refresh token rotation
Every refresh issues a new token and invalidates the old. Family tracking detects reuse — stolen tokens revoke the family.
Rate limiting
Per-tenant and per-endpoint. Prevents abuse without affecting legitimate users. Applied at the API gateway.
PKCE (S256)
All SPA and mobile flows require PKCE with S256 challenge. No implicit flow — ever.
Encryption
Encryption everywhere
In transit
- ✓ TLS 1.3 for all API connections
- ✓ HTTPS enforced on all custom domains
- ✓ Secure cookies with SameSite, HttpOnly
- ✓ HSTS headers on all responses
At rest
- ✓ Passwords hashed with bcrypt (cost 12)
- ✓ Client secrets hashed — never stored in plaintext
- ✓ API keys stored as SHA-256 hash with prefix
- ✓ Database encryption at rest (AES-256)
Zero-Trust Kernel
Zero-trust at the kernel
The eBPF agent doesn't trust the network. Every request is validated at the Linux kernel — before it reaches your application. No VPN. No reverse proxy. No trust assumptions.
L7 — HTTP validation
JWT extracted and verified in kernel. Method + path matched against policy. Roles, permissions, groups, MFA — all checked in ~45μs.
L4 — TCP access control
Control which processes connect to databases, caches, queues. Unauthorized TCP connections dropped before the SYN reaches the service.
Audit — every decision
Allow and deny decisions logged with user, IP, method, path, latency, policy match. Streamed to control plane. Queryable via API.
Detection Engine
Three layers of AI
Rules catch known threats instantly. ML catches unknown patterns by learning YOUR data. LLM explains findings and suggests policies. All three run together.
Rules Engine
All plans
Credential stuffing
Brute force
Dormant accounts
Infrastructure risks
Cloud IAM risks
Orphan cleanup
ML Models
Pro+
Impossible travel
Login anomaly (Isolation Forest)
Behavior clustering (k-means)
Traffic anomaly
Risk scoring
Process + container anomaly
LLM Intelligence
Business+
Natural language policies
Explain ML findings
Weekly security digest
Auto-policy suggestions
RAG — ask your data
Recommended actions
Real example: all three layers working together
Event
Login from admin@hospital.com
IP: 45.33.x.x (Brazil)
Time: 3:00 AM IST
Device: new Chrome
IP: 45.33.x.x (Brazil)
Time: 3:00 AM IST
Device: new Chrome
Rules
New country detected
→ Flag: unusual location
→ Flag: unusual location
ML
Isolation Forest: 0.92
142 prior logins: all India
→ Anomaly: top 3%
142 prior logins: all India
→ Anomaly: top 3%
LLM
"Never from Brazil. New device. 3 AM."
→ Step-up MFA + notify
→ Step-up MFA + notify
Compliance
Data residency & compliance
Choose your region
Every tenant is assigned a data region. User data, tokens, and audit logs stay in the region you choose.
US
United States
EU
European Union
IN
India
AU
Australia
Compliance-ready
- ✓ Comprehensive audit logging — every action tracked
- ✓ AuthFI Connect audit trail — who accessed which cloud
- ✓ eBPF access logs — every service request logged
- ✓ HIPAA-ready with healthcare module (SMART on FHIR)
- ✓ Audit log export — CSV/JSON to SIEM and security tools
- ✓ Multi-tenant isolation — zero data leakage between tenants
Performance
Performance & reliability
~45μs
eBPF auth latency
300+
Edge locations
4
Data regions
0
Static keys stored
One platform. Every identity layer.
Free to start.
Free for 5,000 users. Upgrade when you're ready.
Start building free →