Zero-Trust Principle for Users

Before integrating yaan, we want to elaborate on what it actually takes to prevent Account Takeovers (ATOs) or similiar. This is very important and this should be implemented by default.

The Basics

If you have not implemented 2FA or MFA yet, do that first. We are aware that this creates "extra" friction. Let's ignore the obvious benefit of security here in a matter-of-fact many browsers already support cloud-native syncing for passkeys or TOTP providers, so it is usually one click for users to add it to their vault, or authenticate via Bitwarden, LastPass, 1Password, or even native OS integrations such as Apple Passkeys, Windows Hello, Google Authenticator, etc.

Good places to enforce verification challenges:

• Every new login from an unrecognized device ( we help with this )
• Password resets
• Payment or sensitive data actions

Even better, consider going passwordless entirely using magic links in combination with MFA. Most modern auth frameworks, such as BetterAuth, Clerk, or Supabase Auth, have this built in, so it is often just a matter of enabling the feature. Or if you're not a Soydev, well, you chose this path.

Where yaan Fits In

Think of 2FA and MFA as locking your front door. yaan is the security system inside the house.

Even after a user is fully authenticated, you still need to:

• Detect anomalous behavior post-login
• Monitor and flag suspicious actions in real time
• Block unusual patterns before damage is done

Checklist Before Integrating yaan

• MFA enabled (TOTP or Passkeys)
• SMS verification removed
• Passwordless auth considered (magic links + MFA)

Further Reading

We recommend skimming through these articles to get a deeper understanding:

• OWASP Account Takeover Prevention Cheat Sheet
• CISA: More than a Password
• KrebsOnSecurity: The SIM Swapping Problem