1. Identity Integrity Mission

At Nexly.biz (the “Company”), we view identity as the primary perimeter of our architecture. Our mission is to ensure that every access vector is guarded by high-entropy credentials and multi-factor verification. We eliminate weak identity links to prevent unauthorized data extraction and protect the technical sovereignty of our educational fabric.

2. Structural Scope

This policy applies to all Nexly stakeholders, including employees, contractors, and partners. It covers authentication for internal communication tools (Slack/Teams), cloud administration portals (AWS/Azure/GCP), source code repositories (GitHub), and the core Nexly educational platform.

3. NIST-Aligned Authentication Logic

Nexly adheres to the NIST SP 800-63B guidelines. We prioritize password length (entropy) over frequent mandated rotations. Research indicates that frequent rotation leads to predictable patterns; we only mandate rotation upon evidence of potential compromise or for high-risk Service Accounts.

4. Password Complexity & Entropy Matrix

Credentials must meet the following minimum entropy benchmarks:

• Length: Minimum 14 characters for standard users; 18+ for administrators.
• Character Variants: Must include Uppercase, Lowercase, Numerical, and specialized ASCII symbols.
• Blacklist: Passwords cannot contain common words, "nexly", or data found in known credential dumps.

5. Universal MFA Mandate

Multi-Factor Authentication (MFA) is non-negotiable for all Nexly access. We prioritize phishing-resistant factors:

• Tier 1 (Mandatory): Hardware Security Keys (FIDO2/YubiKey) or WebAuthn/Windows Hello.
• Tier 2 (Fallback): Time-based One-Time Passwords (TOTP) via authorized apps (e.g., Google Authenticator).
• Prohibited: SMS or Email-based 2FA is strictly prohibited due to SIM-swapping vulnerabilities.

6. SSO Integration & Centralized JAM

Nexly utilizes a centralized Identity and Access Management (IAM) suite with Single Sign-On (SSO) integration. Users must utilize the SSO gateway for all SaaS applications. This allows us to execute a "Universal Disconnect" protocol, revoking all access instantly across the entire ecosystem during offboarding.

7. Privileged Access Management (PAM)

Administrative access to production clusters requires "Privileged Access Management" (PAM) workflows. Administrators must utilize Just-in-Time (JIT) access grants, which expire automatically after the execution of the maintenance ticket, minimizing the time-window of elevated risk.

8. Mandatory Credential Hygiene

Users are provided with enterprise-grade Password Managers (e.g., 1Password/Bitwarden). Utilizing non-sanctioned password managers or "Saving Passwords" in browsers is prohibited. Sharing credentials between users is a "Primary Integrity Breach" subject to immediate disciplinary logic.

9. Systemic Lockout & Forensic Recovery

Our Brute-Force Shield triggers a permanent account lockout after 5 failed authentication attempts. Account recovery requires secondary out-of-band verification (e.g., manager approval or live video verification with the IT Security Desk) to prevent social-engineering bypass.

10. Persistent Phishing Resistance

Nexly conducts monthly "Heuristic Phishing Simulations" to identify personnel vulnerable to credential harvesting. Users who interact with simulated phishing nodes must undergo mandatory Remedial Identity Defense Training.

11. Credential Stuffing & Bot Defense

Our edge-gateways utilize real-time threat intelligence to identify and block connection attempts from IP addresses associated with credential-stuffing botnets. We actively cross-reference our user hashes against third-party breach databases to identify at-risk personnel.

12. Recursive Identity Auditing

Identity Command performs quarterly "Permission Scrubbing" to ensure that users have not accumulated "Access Debt"—permissions that are no longer required for their current role. "Ghost Accounts" (unclaimed or idle accounts) are purged automatically after 30 days of inactivity.

13. Identity & Access Command

To request an MFA reset, report a suspected credential compromise, or inquire about SAML/SSO integration for a new tool, please connect with Identity Command.