Anomalies, named.
Sign-in spikes from new IPs. Token-replay attempts. Refresh-token theft. The events TillAuth already surfaces, escalated with context and a runbook attached when they cross a threshold.
Sign-in spikes from new IPs. Token-replay attempts. Refresh-token theft. The events TillAuth already surfaces, escalated with context and a runbook attached when they cross a threshold.
Known-bad IPs, leaked-credential check at sign-in, device fingerprints with reputation. Updated continuously, applied by policy rather than per-request opt-in.
Adaptive auth, written as ordinary code. Demand MFA on first sign-in from a new country. Force a passkey on admin actions. Read the policies as code, version them, audit them.
You don't have to use the rest. But they fit together — same workspace, same audit log, same shortcut to switch between them. Add what you need when you need it.