Passwords

Customize your Password authentication flow from the Descope console (Settings > Authentication Methods > Passwords).

The Passwords Authentication Method lets you authenticate end users using a secret string of characters known only to the user.

Descope recommends using an email address as the user identifier; this allows you to utilize passwordless methods like Magic Link in addition to passwords. These methods could be used for authentication when users forget their password or need to reset it easily.

Password Settings

Password Policy

Password policy forces users to select more robust passwords. We have chosen a default policy that corresponds with current best practices. You can change the password policy to make it more or less restrictive. Note that if you desire more restrictions, it may be harder for your users to remember the password they have chosen, and if you choose a less restrictive policy, passwords may be more easily compromised.

Note

Password policy can also be overridden at a tenant level. More information about tenant level password policy can be found here.

All Settings

SettingDetailsRange[default]
Enable method in API and SDKThis toggle switch enables or disables the authentication method from being available for use within API and SDKEnabled/[Disabled]
Minimum Password LengthRequire users to choose a password equal to or longer than the number of characters specified.5-64 [8]
Require at least one lowercase characterRequire users to use at least one lowercase character in their password.[Checked]/Unchecked
Require at least one uppercase characterRequire users to use at least one uppercase character in their password.[Checked]/Unchecked
Require at least one numberRequire users to use at least one numeric character (0-9) in their password.[Checked]/Unchecked
Require at least one special characterRequire users to use at least one non-alphanumeric character in their password.[Checked]/Unchecked
Enable Password ExpirationWhen enabled, the user's password will expire after a specified period (in weeks), and the user will have to change their password.Checked/[Unchecked] 1-999 [26] weeks
Prevent Password ReuseSpecify how many previously used user passwords Descope will remember. When selecting a new password (e.g., after reset or password expiration), Descope will not allow using any previously used passwords.Checked/[Unchecked] 10-50 [10]
Lock account after x attemptsWhen a user enters an incorrect password more than x times, the user will be locked and unable to log in again.Checked/[Unchecked] 2-10 [5]
Temporary lock after x attempts, for y minutesWhen a user enters an incorrect password more than x times, the user will be temporarily locked and unable to log in for y minutes. After y minutes the user will be able to log in again.Checked/[Unchecked] 1-10 [3], 1-1440 [5] minutes
ConnectorWho will be listed as the sender of the enchanted link. The default is Descope.
TemplateIf you are using a customized connector, you can change the template of the email which your user will receive. The default is System.

Additional Details

This section describes additional details about the configuration options available.

Reset Password Email

This email will be sent to the user via the Magic Link method when the end user initiates a password reset process (e.g. when the user clicks the “forgot my password” link or when triggered by the admin in the Descope Console or API).

Method

You can define which method to use (Magic Link). Descope recommends using Magic Link as it is more suitable for resetting password processes.

Connector

You can define what email connector Descope will use to send the reset password email.

Email Connector

Descope supports sending email OTP messages using your email messaging provider, such as AWS SES, SendGrid, or a generic SMTP service. You can configure a email messaging connector by going to the connectors page within the Descope console and searching for the supported email messaging connectors. Then, on the OTP authentication method page, you can select the configured connector and customize the template if you would like.

Email Subject

The subject of the email that the end user will receive

Email Body

The HTML content used to create the email body. You can edit the email; however, keep the provided placeholders for the Magic Link to function correctly.

Number Of Password Failed Attempts

When Hide sensitive error information is turned off, Descope will return the sequential number of login attempts when trying to authenticate with passwords. When used, the number can provide visibility for the end user or for the Descoper to know how many attempts for login are left for the specific user, if any. Some use cases will include showing the number of attempts left, while some may show only a warning that "this is your last attempt" with correlation to the password policy, which dictates the maximum number of login attempts allowed. An Example Response:

Hide sensitive error information turned off:

[E062901]: Invalid signin credentials
 
Wrong password or unknown user - attempt #1

Hide sensitive error information turned on:

[E062903]: Password signin failed
 
Wrong password or unknown user - 

Temporary Lockout Time

When using Temporary lock after x attempts, for y minutes Descope will return the time left in the lockout. This can provide visibility for the end user or for the Descoper to know how long until they can login again. An Example Response:

[E062903]: Password signin failed
 
User temporarily locked, try again in 1 minute - 60
Was this helpful?

On this page