Overview
Connected children
| Node | Address | RP ID | Version | Last seen |
|---|
| Username | Display name | Status | YubiKeys | Face |
|---|
| Credential ID | User | RP ID | Type | Nickname | Created |
|---|
| Time | Node | Actor | Action | Target | Result |
|---|
Allowed key types
Restrict which authenticators may enroll. None selected means any key is accepted. Enrollment happens on the parent; this policy is signed and replicated to every child.
Face-scan first factor
Physical (camera) nodes require a live face match to identify the user before their security key. Virtual nodes are WebAuthn-only. This policy is signed and replicated to every child.
required: every user must enroll a face · optional: users may · off: no face capture.
Minimum similarity to accept a 1:N identification. Higher is stricter.
Drive a real WebAuthn assertion against this node and inspect the issued JWT. Touch a YubiKey enrolled for RP ID when prompted.