Additional Security Features

Authentication Method Policies

This guide covers implementing and maximizing the security policy with authentication methods Descope provides.

When authenticating users, Descope provides the ability to add security policies that affect attackers' ability to perform any kind of account takeover, such as a brute force attack, rainbow table/dictionary attack, and more.

Password Based Authentication

When using Passwords as an authentication method, Descope provides the ability to set a password policy:

password policy

Each option provides a different coverage that narrows down the attack surface. Examples:

Password Entropy

Password entropy measures the unpredictability of a password or phrase, expressed in bits. Generally, higher bits of entropy indicate a more complex password, making it harder to crack. Usually, attackers will try to use common passwords and phrases, like birthdates, common names, and personal information.

These settings have a direct impact on the password entropy:

  • Minimum password length.
  • Require at least one lowercase letter.
  • Require at least one uppercase letter.
  • Require at least one number.
  • Require at least one non-alphanumeric character.

Using an uncommon and complex password will make attackers work harder and longer to obtain the password.

Password Expiration

Descope allows forcing the user to change the password periodically, and to a different password from his previous password history Using this settings:

  • Enable password expiration. Password expiration period.
  • Prevent password reuse. Number of passwords to remember.

A password change can disrupt an attacker's progress in obtaining the password.

Account Lock

Descope allows locking the account after a certain amount of attempts using this setting:

  • Lock account after X attempts.

Trying to guess a password might lead attackers to lock the account, this might raise a flag for the end user that he is being under attack and to change his account details.

OTP Based Authentication

Descope allows setting the expiration time for the code used in the OTP and OTP authentication methods.

OTP policy

In addition, Descope provides a strict retry policy:

  • One-time Password - Maximum attempts are 3. The correct OTP code cannot be used anymore, and the user is not locked.
  • Time(based) One-Time Password - Maximum attempts are 20 over 30 seconds. When reached, the user is locked.

Descope provides the ability to set the link expiration for Magic Link, Enchanted Link, Embedded Link and nOTP.

link policy

Once the link expires, it is no longer available for use.

Was this helpful?

Previous

Certificate Verify Mode (Go)

Next

JWK Rotation

On this page

Authentication Method PoliciesPassword Based AuthenticationPassword EntropyPassword ExpirationAccount LockOTP Based AuthenticationLink Based Authentication