Claude-skill-registry account-security
Account security - MFA, sessions, recovery. Use when protecting user accounts.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/account-security" ~/.claude/skills/majiayu000-claude-skill-registry-account-security && rm -rf "$T"
manifest:
skills/data/account-security/SKILL.mdsource content
Account Security Guideline
Tech Stack
- Auth: better-auth
- Framework: Next.js
Non-Negotiables
- Session/device visibility and revocation must exist
- All security-sensitive actions must be server-enforced and auditable
- Account recovery must require step-up verification
Context
Account security is about giving users control over their own safety. Users should be able to see what's accessing their account, remove suspicious sessions, and understand when something unusual happens.
But it's also about protecting users from threats they don't know about. Compromised credentials, session hijacking, social engineering attacks on support — these require proactive detection, not just user vigilance.
Driving Questions
- Can a user tell if someone else has access to their account?
- What happens when an account is compromised — how fast can we detect and respond?
- How does the recovery flow prevent social engineering attacks?
- What security events should trigger user notification?
- Where are we relying on user vigilance when we should be detecting threats?
- What would a truly paranoid user want that we don't offer?