What MFA methods does Visylix support?

Three classes. Time-based OTP (TOTP) via Google Authenticator, Authy, 1Password, or any RFC 6238 app, available on Starter and above. WebAuthn / FIDO2 passkeys via hardware keys (YubiKey, SoloKey, Feitian) and platform authenticators (iCloud Keychain, Windows Hello, Android biometric, Google Password Manager, 1Password), available on Pro and above. Backup recovery codes issued when MFA is first enabled, 10 codes, hashed with Argon2id, single-use.

Can we enforce MFA for all users?

Yes. Organization-wide enforcement is one toggle. You can also enforce by role, "require MFA for admins" is the most common policy, or by group synced from SSO. Users who have not enrolled are prompted on their next login and blocked from viewing cameras until they complete enrollment.

What happens if someone loses their hardware key or phone?

Users receive 10 single-use recovery codes when MFA is first enabled. Each code is hashed with Argon2id and stored one-way, Visylix cannot recover lost codes and neither can we. Admins can also reset MFA for a user, which triggers a full re-enrollment on next login and is heavily audit-logged. For regulated environments, you can disable admin reset entirely and require break-glass + two-admin approval.

How does brute-force protection work?

Five failed MFA attempts within 15 minutes lock the account for 15 minutes. After lockout, the counter resets but the source IP is tracked for anomaly detection. Excessive failures across many accounts from a single IP trigger an automatic SOC alert and temporary IP ban. All failures are audit-logged with the attempted factor type, source IP, and user agent.

Do passkeys work offline / on-premise VMS deployments?

Yes. WebAuthn / FIDO2 authentication is performed entirely between the browser and the Visylix backend, no external identity service required. Passkeys work in fully air-gapped deployments as long as the browser is modern (Chrome 109+, Safari 16.4+, Firefox 119+, Edge 109+). Platform authenticators like iCloud Keychain sync across your own devices; hardware keys like YubiKey are self-contained.

TOTP on Starter+ · Passkeys on Pro+

Unphishable logins for your VMS

Time-based OTP, WebAuthn passkeys, FIDO2 hardware keys, Argon2-hashed recovery codes, and brute-force lockout. Enrollment in 90 seconds, enforcement in one click.

Start Free Trial See pricing

Works with every authenticator your team already uses

YubiKeyHardware

iCloud KeychainPlatform

Google Password ManagerPlatform

1PasswordSoftware

AuthyTOTP

Google AuthenticatorTOTP

Why MFA on surveillance is non-negotiable.

A compromised VMS credential gives attackers the ability to see, delete, and tail. MFA is the cheapest mitigation.

Surveillance logins are high-value targets

Attackers who breach a VMS can disable cameras, delete evidence, or tail a victim in real time. Passwords alone, even strong ones, fall to phishing, credential stuffing, and malware keyloggers. MFA raises the cost of compromise by orders of magnitude.

Insurance and compliance require it

Cyber-insurance renewals now ask directly: is MFA enforced on all admin accounts? SOC 2 Type II, ISO 27001 Annex A.9.4.2, and HIPAA Security Rule 164.312(d) all treat MFA as table stakes. Checking the box takes one afternoon with Visylix.

Passkeys kill the "MFA fatigue" attack

Prompt-bombing attacks work against push-MFA and SMS. Passkeys require a physical tap on a device the user controls, no prompt to spam, no code to phish. Pro tier passkeys end MFA fatigue entirely.

Every factor your security team asked for.

TOTP, passkeys, hardware keys, recovery codes, lockout, enforcement, all built in, all audited.

Passkeys (WebAuthn / FIDO2)

Phishing-resistant passwordless authentication. User taps Touch ID, Face ID, Windows Hello, or a hardware key, no code to type, no OTP to intercept. Backed by cryptographic keys that never leave the authenticator.

Hardware keys

YubiKey 5 series, SoloKey, Feitian, and any CTAP 2.0 device. FIDO2 Level 1 and Level 2 certified authenticators supported. Works USB-A, USB-C, NFC, and Lightning. Keys can be enrolled via the user profile UI.

TOTP apps

Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, Duo Mobile, FreeOTP, any RFC 6238 compliant app. QR-code enrollment, 30-second windows, 6-digit codes.

Argon2id recovery codes

Ten single-use recovery codes issued at MFA enrollment. Hashed with Argon2id (memory-hard, side-channel resistant). Visylix cannot read them back, users must save at enrollment time.

Brute-force lockout

Five failed MFA attempts within 15 minutes locks the account for 15 minutes. Source IP tracked for anomaly detection. Multi-account failures from one IP trigger automatic SOC alerts.

Enforce by role

Require MFA for admins, operators, or any custom role. Enforce organization-wide, or layer: TOTP minimum for all, passkey minimum for admins. Break-glass admin account excluded by policy.

Included by default, scales with your plan.

Starter gets TOTP and recovery codes on day one. Pro unlocks passwordless passkeys and enforcement policies.

Starter & above

TOTP (Google Authenticator, Authy, 1Password, any RFC 6238 app)
10 recovery codes, Argon2id hashed, single-use
Brute-force lockout, 5 attempts / 15min cooldown
Audit log of every factor attempt

Pro & above

Passkeys, WebAuthn / FIDO2
Hardware keys, YubiKey, SoloKey, Feitian
Platform authenticators, Touch ID, Windows Hello, Android biometric
Enforce-by-role policies (require MFA for admins, operators, etc.)

Use case, Regional hospital

“Our cyber-insurance renewal required MFA on every admin account touching patient-area cameras. Passkeys satisfied the auditor and our staff stopped fighting the rollout.”

Regional hospital network, 6 facilities, 1,200 cameras. Passkey rollout: 42 admin accounts, completed in one shift. Zero password resets since.

Turn on MFA today.

TOTP is included on every Visylix plan. Passkeys unlock on Pro and above. Enrollment takes 90 seconds per user.

Start Free Trial See pricing