Simple Trick to get rid of 99% of Account Takeovers or similiar

Before integrating yaan, we want to elaborate on what it actually takes to prevent Account Takeovers (ATOs) or similiar. This is very important and this should be implemented by default.

The Basics

If you have not implemented 2FA or MFA yet, do that first. We are aware that many people online claim that this creates "extra" friction. Let's ignore the obvious benefit of security here in a matter-of-fact many browsers already support cloud-native syncing for passkeys or TOTP providers, so it is usually one click for users to add it to their vault, or authenticate via Bitwarden, LastPass, 1Password, or even native OS integrations such as Apple Passkeys, Windows Hello, Google Authenticator, etc.

Good places to enforce verification challenges:

Every new login from an unrecognized device ( we help with this )
Password resets
Payment or sensitive data actions

Even better, consider going passwordless entirely using magic links in combination with MFA. Most modern auth frameworks, such as BetterAuth, Clerk, or Supabase Auth, have this built in, so it is often just a matter of enabling the feature. Or if you're not a Soydev, well, you chose this path.

Where yaan Fits In

Think of 2FA and MFA as locking your front door. yaan is the security system inside the house.

Even after a user is fully authenticated, you still need to:

Detect anomalous behavior post-login
Monitor and flag suspicious actions in real time
Block unusual patterns before damage is done

Checklist Before Integrating yaan

2FA enabled (TOTP or Email)
MFA enabled (Passkeys)
SMS verification removed
Verification enforced on sensitive actions
Passwordless auth considered (magic links + MFA)

Simple Trick to get rid of 99% of Account Takeovers or similiar

The Basics

Where yaan Fits In

Checklist Before Integrating yaan

Further Reading

yaan