Email and password (Argon2id) with an optional authenticator code, via fastapi-users.
A second factor is required only for accounts that have enrolled one; the single-operator
MVP runs password-only. Sign-in issues the dashboard session cookie.
Risk report, not a clearance. You are responsible for the purchase decision.
Rules-based, informational only.