id.dekimu.com is the front door for every Dekimu app. One login flows through to InvoiceUp, miniterms, the Hub, every satellite. That kind of identity infrastructure has to clear the same security bar as a bank, not a SaaS dashboard. Today id.dekimu.com ships end-user multi-factor: TOTP, passkeys, recovery codes, and real step-up gating on sensitive actions.
Open Settings → Security in any Dekimu app and you'll see the new status panel. Enroll a TOTP factor with any authenticator app — 1Password, Bitwarden, Aegis, the built-in Apple or Android one. Add a passkey from the same screen with the platform's native prompt. We mint ten one-time recovery codes the moment the first factor lands; if you lose every device, those codes get you back in.
MFA at login is the easy half. The harder half is gating actions that should require fresh authentication even mid-session — deleting your account, rotating an API key, downgrading a plan. We added a freshness signal to the session and a step-up gate that intercepts privileged requests, prompts for a factor, and retries the original request once you've re-authenticated. Every sensitive surface across the ecosystem will route through it as we wire each one in.
MFA at login is table stakes. MFA on sensitive actions, mid-session, is the part most apps skip — and the part that matters.
The freshness signal travels with the session every satellite verifies. That means a satellite can ask 'is this session fresh enough to delete data?' without a separate identity round-trip. The signal survives session refresh via a side channel — refresh keeps you logged in, but doesn't reset the freshness clock for sensitive actions. Every consumer of the shared session library now reads the new signal; one canonical schema, no drift.
Hardware-key-only enforcement, admin-mandated MFA per workspace, and SCIM/SSO sit in the next bucket — they're real engineering and gate-keep nothing the current audience needs. Recovery-code rotation is one click; passkey deletion is one click; audit log entries fire on every enrollment and challenge event. Open Settings → Security and turn it on — there's no good reason to wait.