Implemented Security Features
WebAuthn/Passkeys
Passwordless authentication with FIDO2 security keys, Touch ID, Face ID, and Windows Hello support.
Password Security
Argon2id hashing with AUTH_PEPPER, HaveIBeenPwned breach detection, and 10+ character minimum.
Multi-Factor Auth
TOTP-based 2FA with Google Authenticator, backup codes, and device management.
Rate Limiting
Intelligent rate limiting on login, registration, and API endpoints with exponential backoff.
Secure Sessions
HttpOnly, Secure, SameSite=Lax cookies with device fingerprinting and geolocation tracking.
Audit Logging
Full logging of all authentication events with IP tracking and severity levels.
CSRF Protection
Timing-attack resistant CSRF tokens using hash_equals() on all state-changing operations.
Account Lockout
Temporary lockout after 10 failed attempts with automatic unlock and secure recovery.
Isolated Logging
Security events forwarded to external IDS device for centralized threat detection and analysis.
Bot Protection
Cloudflare Turnstile CAPTCHA on suspicious login attempts with k-Anonymity privacy.
Email Verification
Secure email verification with time-limited tokens and professional email templates.
API Key Management
Generate and manage API keys for programmatic access with proper hashing.
GDPR Compliance
Full data export and account deletion capabilities with privacy-by-design principles.
Security Headers
Content Security Policy, X-Frame-Options, HSTS, and X-Content-Type-Options enforced at the reverse proxy layer.
Breach Detection
HaveIBeenPwned integration using k-Anonymity to check passwords against known breaches without exposing credentials.
Why I Built This
I built CoreAccess-ID because I wanted to know how auth actually works under the hood. Not just plug in a library and hope it handles security. I wrote every hashing function, every session handler, every rate limiter from scratch. You don't really understand where auth breaks until you build it yourself and watch it fail.