Ferriskey
Multi-Factor Authentication

Trident

Read the docs All modules

Key capabilities

TOTP

Time-based one-time passwords compatible with Google Authenticator, Authy, 1Password, and any RFC 6238 app.

WebAuthn

FIDO2 passkeys — hardware keys (YubiKey), Touch ID, Face ID, Windows Hello, and synced passkeys.

Magic Links

Passwordless email login. A unique short-lived link is sent to the inbox — click to authenticate.

Recovery Codes

One-time backup codes for account recovery when the primary MFA device is unavailable.

Required Actions

Enforce MFA enrollment for all new users — MFA becomes mandatory rather than optional.

Temporary Tokens

Short-lived tokens issued during the MFA challenge phase — cannot access protected resources.

How it works

1

Credentials validated

User submits their username and password. FerrisKey validates and checks for configured MFA credentials.

2

MFA challenge issued

If MFA is configured, a temporary token and challenge are returned. The client prompts for the second factor.

3

Second factor verified

The user submits the OTP, passkey assertion, or clicks the magic link. Trident validates the response.

4

Full tokens issued

On success, FerrisKey issues access, refresh, and ID tokens. The session is fully established.

Ready to use Trident?

Full reference, configuration options, and examples in the documentation.

Open docs

Other modules

SeaWatch

Audit & Security Events

Compass

Authentication Flow Engine

Abyss

Identity Provider Federation

Aegis

Scopes & Protocol Mappers

Webhooks

Event-Driven Extensibility