Passwordless Authentication & Immutable Identity

• QuantLayer Agent installed on endpoints (Windows, Linux, and supported OT/edge devices).
• Device registered and visible under Assets & Devices with a healthy status (Connected / Registered).
• Time sync enabled (NTP) for consistent audit timestamps (recommended for OT/ICS environments).
• Admin role in QuantLayer to create policies and view identity events.

• Workforce: passwordless sign-in (FIDO2/passkeys), step-up policy based on risk.
• Machine-to-machine: hardware-rooted device identity + mutual trust handshake.
• Workloads: service identity for apps/agents with short-lived keys and rotation.
• OT/ICS access: privileged remote access gated by device posture + zone policy.

• Create an Identity Policy specifying allowed factors and required device posture.
• Bind the policy to a scope (Users, Devices, Groups, OT zones, or IoT fleet tags).
• Enable Immutable Identity Logging to record auth events, key changes, and posture drift.
• Test with a pilot group, then expand scope to production.

# QuantLayer Policy (illustrative)
policy "Passwordless + Device Trust" {
  require factor = "passkey";              # phishing-resistant
  require device.posture = "healthy";      # secure boot / agent ok
  require zone = ["IT", "OT-RemoteAccess"];# zone-aware

  when risk.score >= 70 {
    step_up factor = "hardware-key";       # optional step-up
    quarantine.session = true;              # contain until verified
  }

  log immutable = true;                     # write to identity ledger
}

• Confirm device shows Last Authenticated updated after sign-in.
• Check Identity Events for: key rotation, policy decisions, and posture signals.
• If sign-in fails: validate device clock, agent health, and assigned policy scope.
• For OT jump hosts: confirm allowed conduits and local policy service reachability.

• Create an Identity Policy.
• View Identity Events.
• Download PDF.