Passwords
Customize your Password authentication flow from the Descope console (Settings > Authentication Methods > Passwords).
The Passwords Authentication Method lets you authenticate end users using a secret string of characters known only to the user.
Descope recommends using an email address as the user identifier; this allows you to utilize passwordless methods like Magic Link in addition to passwords. These methods could be used for authentication when users forget their password or need to reset it easily.
Password Settings
Password Policy
Password policy forces users to select more robust passwords. We have chosen a default policy that corresponds with current best practices. You can change the password policy to make it more or less restrictive. Note that if you desire more restrictions, it may be harder for your users to remember the password they have chosen, and if you choose a less restrictive policy, passwords may be more easily compromised.
Note
Password policy can also be overridden at a tenant level. More information about tenant level password policy can be found here.
All Settings
| Setting | Details | Range[default] |
|---|---|---|
| Enable method in API and SDK | This toggle switch enables or disables the authentication method from being available for use within API and SDK | Enabled/[Disabled] |
| Minimum Password Length | Require users to choose a password equal to or longer than the number of characters specified. | 5-64 [8] |
| Require at least one lowercase character | Require users to use at least one lowercase character in their password. | [Checked]/Unchecked |
| Require at least one uppercase character | Require users to use at least one uppercase character in their password. | [Checked]/Unchecked |
| Require at least one number | Require users to use at least one numeric character (0-9) in their password. | [Checked]/Unchecked |
| Require at least one special character | Require users to use at least one non-alphanumeric character in their password. | [Checked]/Unchecked |
| Enable Password Expiration | When enabled, the user's password will expire after a specified period (in weeks), and the user will have to change their password. | Checked/[Unchecked] 1-999 [26] weeks |
| Prevent Password Reuse | Specify how many previously used user passwords Descope will remember. When selecting a new password (e.g., after reset or password expiration), Descope will not allow using any previously used passwords. | Checked/[Unchecked] 10-50 [10] |
| Lock account after x attempts | When a user enters an incorrect password more than x times, the user will be locked and unable to log in again. | Checked/[Unchecked] 2-10 [5] |
| Temporary lock after x attempts, for y minutes | When a user enters an incorrect password more than x times, the user will be temporarily locked and unable to log in for y minutes. After y minutes the user will be able to log in again. | Checked/[Unchecked] 1-10 [3] 1-1440 [5] minutes |
| Connector | Who will be listed as the sender of the enchanted link. The default is Descope. | |
| Template | If you are using a customized connector, you can change the template of the email which your user will receive. The default is System. |
Password Policy Using Tenants
When a user belongs to multiple tenants, a key consideration is determining which tenant's policy takes precedence. From a security standpoint, if a user is subject to multiple policies, the most stringent policy will be enforced rather than the more lenient one. While Descope provides all the password policy settings mentioned above, the following list outlines the criteria for stricter policies and how they are applied in practice:
| Setting | Details |
|---|---|
| Minimum Password Length | The setting with the lowest number. |
| Require at least one lowercase character | The policy will be enforced if there is at least one tenant with this setting active. |
| Require at least one uppercase character | The policy will be enforced if there is at least one tenant with this setting active. |
| Require at least one number | The policy will be enforced if there is at least one tenant with this setting active. |
| Require at least one special character | The policy will be enforced if there is at least one tenant with this setting active. |
| Enable Password Expiration | The policy will be enforced if there is at least one tenant with this setting active + The setting with the lowest number. |
| Prevent Password Reuse | The policy will be enforced if there is at least one tenant with this setting active + The setting with the lowest number. |
| Lock account after x attempts | The policy will be enforced if there is at least one tenant with this setting active + The setting with The lowest number. |
| Temporary lock after x attempts, for y minutes | The policy will be enforced if there is at least one tenant with this setting active + The setting with The lowest number. |
Reset Password Email
This email will be sent to the user via the Magic Link method when the end user initiates a password reset process (e.g. when the user clicks the “forgot my password” link or when triggered by the admin in the Descope Console or API).
On the authentication methods page, you can find the Reset Password Email settings. Here you can customize the email connector used to send the reset password email, as well as the email template.
Reset Password In flows
You can also use the Send Password Reset action within your flow.
Within this action, you can customize the email connector used to send the reset password email, as well as the email template. Additionally, you can select custom token verification, so that you can include additional conditions before verifying. This is useful in detecting if an email scanner has clicked on the magic link in the email, and prevent token verification in that scenario.
