Passwords
Customize your Password authentication flow from the Descope console (Settings > Authentication Methods > Passwords).
The Passwords Authentication Method lets you authenticate end users using a secret string of characters known only to the user.
Descope recommends using an email address as the user identifier; this allows you to utilize passwordless methods like Magic Link in addition to passwords. These methods could be used for authentication when users forget their password or need to reset it easily.
Password Settings
Password Policy
Password policy forces users to select more robust passwords. We have chosen a default policy that corresponds with current best practices. You can change the password policy to make it more or less restrictive. Note that if you desire more restrictions, it may be harder for your users to remember the password they have chosen, and if you choose a less restrictive policy, passwords may be more easily compromised.
Note
Password policy can also be overridden at a tenant level. More information about tenant level password policy can be found here.
All Settings
Setting | Details | Range[default] |
---|---|---|
Enable method in API and SDK | This toggle switch enables or disables the authentication method from being available for use within API and SDK | Enabled/[Disabled] |
Minimum Password Length | Require users to choose a password equal to or longer than the number of characters specified. | 5-64 [8] |
Require at least one lowercase character | Require users to use at least one lowercase character in their password. | [Checked]/Unchecked |
Require at least one uppercase character | Require users to use at least one uppercase character in their password. | [Checked]/Unchecked |
Require at least one number | Require users to use at least one numeric character (0-9) in their password. | [Checked]/Unchecked |
Require at least one special character | Require users to use at least one non-alphanumeric character in their password. | [Checked]/Unchecked |
Enable Password Expiration | When enabled, the user's password will expire after a specified period (in weeks), and the user will have to change their password. | Checked/[Unchecked] 1-999 [26] weeks |
Prevent Password Reuse | Specify how many previously used user passwords Descope will remember. When selecting a new password (e.g., after reset or password expiration), Descope will not allow using any previously used passwords. | Checked/[Unchecked] 10-50 [10] |
Lock account after x attempts | When a user enters an incorrect password more than x times, the user will be locked and unable to log in again. | Checked/[Unchecked] 2-10 [5] |
Connector | Who will be listed as the sender of the enchanted link. The default is Descope. | |
Template | If you are using a customized connector, you can change the template of the email which your user will receive. The default is System. |
Additional Details
This section describes additional details about the configuration options available.
Reset Password Email
This email will be sent to the user via the Magic Link method when the end user initiates a password reset process (e.g. when the user clicks the “forgot my password” link or when triggered by the admin in the Descope Console or API).
Method
You can define which method to use (Magic Link). Descope recommends using Magic Link as it is more suitable for resetting password processes.
Connector
You can define what email connector Descope will use to send the reset password email.
Email Connector
Descope supports sending email OTP messages using your email messaging provider, such as AWS SES, SendGrid, or a generic SMTP service. You can configure a email messaging connector by going to the connectors page within the Descope console and searching for the supported email messaging connectors. Then, on the OTP authentication method page, you can select the configured connector and customize the template if you would like.
Email Subject
The subject of the email that the end user will receive
Email Body
The HTML content used to create the email body. You can edit the email; however, keep the provided placeholders for the Magic Link to function correctly.
Number Of Password Failed Attempts
Descope will return the sequential number of login attempts when trying to authenticate with passwords. When used, the number can provide visibility for the end user or for the Descoper to know how many attempts for login are left for the specific user, if any. Some use cases will include showing the number of attempts left, while some may show only a warning that "this is your last attempt" with correlation to the password policy, which dictates the maximum number of login attempts allowed. An Example Response: