Olympus Documentation What is Olympus Architecture Repo Map License Glossary

Athena API Authentication Athena API Errors Athena API Pagination Athena Settings API SDK Settings API

Environment variables

MFA methods TOTP WebAuthn Backup codes Email/SMS code Step-up auth

ReferenceMFA methods

WebAuthn

Cryptographic challenge-response with hardware (YubiKey, Touch ID) or passkeys.

Web Authentication API

Spec: W3C WebAuthn

Provides AAL: AAL2 (AAL3 with attestation)

Summary

Cryptographic challenge-response with hardware (YubiKey, Touch ID) or passkeys.

Strengths

Phishing-resistant (origin binding)
User-friendly (biometric / touch)
Strong cryptography

Weaknesses

Requires browser/OS support (now ubiquitous)
Per-domain, passkeys don't migrate when you rename your domain

Enrollment

Browser prompts user to use Touch ID / hardware key / save a passkey.

Recovery

Multiple authenticators enrolled is the right pattern. Otherwise password reset.

Related

Identity, TOTP and WebAuthn
Identity, MFA policy
Identity, Sessions, AAL, refresh

TOTP

6-digit codes generated by an authenticator app (Google Authenticator, 1Password, Authy).

Backup codes

Pre-generated one-time codes the user prints/saves. Each can be used exactly once.

On this page

Web Authentication API Summary Strengths Weaknesses Enrollment Recovery Related