Ferriskey
discoverkubernetesmodules

Credentials

A credential is proof of identity. FerrisKey supports multiple credential types that can be combined for multi-factor authentication.

Credential Types

Password

The most common credential type. Passwords are hashed using Argon2 — a memory-hard algorithm designed to resist brute-force and GPU attacks.

Stored data:

  • hash_iterations — Argon2 iteration count
  • algorithm — Hashing algorithm identifier
  • salt — Unique random salt per credential

Passwords are never stored in plaintext and cannot be retrieved — only verified.

TOTP (Time-based One-Time Password)

A shared secret used with authenticator apps (Google Authenticator, Authy, 1Password). Configuration includes:

  • Algorithm — Hash function (SHA-1, SHA-256, SHA-512)
  • Digits — Code length (typically 6)
  • Period — Time step in seconds (typically 30)
  • Issuer — Display name in authenticator apps

TOTP credentials are managed by the Trident module.

WebAuthn (FIDO2 Passkeys)

Hardware security keys and platform authenticators (Touch ID, Windows Hello, Android biometrics). WebAuthn credentials store the public key and credential metadata — the private key never leaves the user’s device.

Recovery Codes

One-time backup codes generated when MFA is configured. Each code can be used exactly once to bypass the normal MFA challenge. Recovery codes are hashed before storage.

Federated

Credentials linked to an external identity provider (Google, GitHub, etc.) through the Abyss module. Stored data includes:

  • provider_id — External provider identifier
  • provider_type — Provider type (OAuth2, OIDC)

Temporary Credentials

A credential can be marked as temporary. Temporary credentials (typically passwords) trigger the UpdatePassword required action — the user must set a new permanent password before gaining full access.

Credential Lifecycle

Users can have multiple credentials of different types simultaneously. A typical setup might include:

  1. One password credential
  2. One TOTP credential (after MFA setup)
  3. One set of recovery codes (generated with TOTP)
  4. One or more WebAuthn passkeys

Each credential type can be added, updated, or removed independently through the admin console or user self-service endpoints.