Tivro Passkeys for WHMCS

WebAuthn / FIDO2 Passwordless Authentication. Clients log in using Face ID, Touch ID, Windows Hello, or a hardware security key — no passwords required. No phishing. No friction.

? Core Authentication

• Passwordless Login via WebAuthn / FIDO2 — Clients authenticate using their device's built-in biometrics or a hardware security key, fully compliant with the FIDO2 / WebAuthn standard.
• Multiple Passkeys per Client — Each client can register a passkey for each device or browser from their client area, with the ability to rename or revoke any of them.
• Passkey-Required Mode — Force all clients to register a passkey. Anyone logging in without one is automatically redirected to register before continuing.
• Password Fallback Control — Choose whether clients without a passkey can still use their password, or must register a passkey to proceed.

?️ Step-Up Security

• New IP Detection + OTP Challenge — Clients logging in from an unrecognized IP are prompted to verify via a one-time email code before access is granted.
• New Device Detection + OTP Challenge — Logins from unrecognized browsers or devices require a one-time email code, even when the passkey itself is valid.
• Email OTP Fallback — If a passkey is unavailable (new phone, lost device), clients can verify with a 6-digit code sent to their registered email.

Admin Policy Control

• Master On/Off Switch — Instantly disable all passkey UI and endpoints with a single toggle, no uninstall needed for maintenance or rollback.
• Per-Feature Policy Toggles — Individually configure passkey requirement, password fallback, OTP fallback, new IP step-up, and new device step-up.
• Login Button Theme Customizer — Pick from 12 built-in themes or define a fully custom background, text, and border color with a live preview before saving.

? Email & Webhook Notifications

• New Passkey Registration Alert — Clients are emailed automatically when a new passkey is added, with the device name, IP address, and timestamp included.
• Passkey Revoked Alert — Clients are notified by email when a passkey is removed from their account, by themselves or by an admin.
• Suspicious Login Alert — Clients are notified when repeated failed authentication attempts trigger rate limiting on their account.
• Webhook Integration — Push security events to any endpoint. Natively supports Discord, Telegram Bot API, or any custom JSON webhook.

? Admin Client Management

• Passkey Overview Per Client — View all registered passkeys across all clients with device name, transport type, registration date, and last used timestamp.
• Admin Force-Revoke — Instantly revoke any client's passkey from the admin panel with a single click and confirmation prompt.
• Client Search — Search and filter clients by name or email to quickly locate and manage their passkeys.
• Paginated Client List — Efficiently browse passkeys across large client bases with built-in pagination.

? Audit Logging

• Full Audit Log — Every security event is logged: registrations, authentications, OTP activity, step-up events, admin revocations, and policy changes.
• Event Filtering — Filter the audit log by specific event type to quickly investigate incidents or review account activity.
• CSV Export — Export the full audit log or a filtered subset to CSV for compliance records, support tickets, or external review.

? Security & Reliability

• HTTPS Enforcement — The module detects your WHMCS system URL and blocks all passkey operations if HTTPS is not active.
• CSRF Protection — All state-changing requests (policy saves, revocations, key submissions) are protected with per-session CSRF tokens.
• Rate Limiting — Built-in brute-force protection tracks and throttles failed authentication attempts automatically per client.
• IP & User-Agent Logging — All audit entries capture the client's IP address and device fingerprint for full forensic traceability.
• Known Device Tracking — A per-client registry of trusted devices powers step-up authentication without re-challenging clients on familiar devices.

?️ Admin Panel

• Dedicated Admin Interface — A clean, modern sidebar panel covering Overview, Policies, Clients, Audit Logs, and License — no external tools needed.
• Fully Mobile Responsive — The admin panel works across all screen sizes with a collapsible slide-out sidebar on mobile and tablet.
• System Status Widget — At-a-glance overview of license status, passkeys enabled state, HTTPS detection, and last check time on the Overview page.
• Quick Actions — One-click shortcuts to the most common tasks: manage license, edit policies, browse clients, view logs, and export CSV.