01 — Authentication
Modern by default, government-grade where it matters.
Authentication is the first signal of how seriously the rest of the platform is taken. Cybsis treats it that way.
- Passkeys (WebAuthn) — the default
- Phishing-resistant cryptographic credentials, bound to the device. Hardware security keys like YubiKey are first-class citizens — the same flow handles them and platform authenticators (Touch ID, Windows Hello) interchangeably. @simplewebauthn/server v13
- TARA — Estonian eID umbrella (public sector)
- One OIDC flow against the Estonian state SSO covers every national eID scheme: ID-card, Mobile-ID, and Smart-ID. The user picks at the TARA portal; Cybsis receives a verified identity assertion back. TARA is a state-run service for authenticating to public-sector systems — private-sector deployments use Web eID below. openid-client v6
- Active Directory / LDAP
- Direct bind against the customer's AD or any LDAP-compatible directory. For enterprises that already centralise identity and don't want a second user store. Account lockout cooperates with the directory's own policy. ldapts v8 · integrationAD module
- Web eID — ID-card for the private sector
- Estonian ID-card authentication available to private-sector buyers (and to public-sector teams who'd rather not route through TARA). Browser-extension-driven, with OCSP certificate validation and nonce-bound challenge-response. Commercial Mobile-ID and Smart-ID via SK ID Solutions are supported as a paid integration module — included for existing customers, purchased separately for new private-sector deployments. @peculiar/x509 · OCSP-validated
- Federation API keys
- Machine-to-machine access between Cybsis instances. Bearer tokens with HMAC-SHA256 request signatures and identity-header role mapping; revocable at the issuing instance. federation module
- Password (when nothing else fits)
- Bcrypt-hashed, minimum length configurable, account lockout after a configurable number of failed attempts within a rolling 15-minute window. We'd rather you used passkeys. bcryptjs v3
Session model
Short-lived JWT access tokens (15 minutes, configurable) carried in httpOnly SameSite=Strict cookies, with audience and issuer validation. Refresh tokens are 48 random bytes, stored SHA-256-hashed at rest — the plaintext only ever exists in the browser cookie. Idle timeout configurable per instance; default 60 minutes. Per-route rate limits on every authentication endpoint (e.g. password: 10 requests / 15 minutes; passkey registration: 20 / 5 minutes).