EN-C018-037-auth-monitoring-passkey-drift-watch

[EN-C018-037] Auth Monitoring: Passkey Drift Watch + Session Risk Ladder

Overview

A rising pattern in self-hosted operations is combining passkey-first login with continuous session risk scoring. Teams are adding “drift watch” rules that escalate friction only when device trust or behavior shifts.

Use Case

Baseline trusted device + geovelocity profile per user.
Trigger stepped checks (silent log, WebAuthn re-assert, hard lock) when drift score rises.
Plant honeytoken identities for early credential-stuffing detection.

Tools Used

cron: periodic auth telemetry checks and drift scoring
sessions_spawn: dedicated triage agent for suspicious sessions
sessions_history: replay incident timeline for postmortem
message: high-priority alerts to ops channels

Trend Signals (2026 Q1)

GitHub security-first orchestration projects are highlighting multi-channel + policy guardrails (example: CoWork-OS, updated 2026-02-14).
Self-hosted monitoring repos increasingly advertise Discord/Slack webhook alerting for VPS incidents (example: serverstriker).
Chinese self-hosted agent projects emphasize “agent trust” and inter-agent mention controls (example: Trustbook).

Registry ID: EN-037 | Status: Verified | Language: English

[EN-C018-037] Auth Monitoring: Passkey Drift Watch + Session Risk Ladder

Overview​

Use Case​

Tools Used​

Trend Signals (2026 Q1)​

Overview

Use Case

Tools Used

Trend Signals (2026 Q1)