Authentication Method Policies
This guide covers implementing and maximizing the security policy with authentication methods Descope provides.
When authenticating users, Descope provides the ability to add security policies that affect attackers' ability to perform any kind of account takeover, such as a brute force attack, rainbow table/dictionary attack, and more.
Password Based Authentication
When using Passwords
as an authentication method, Descope provides the ability to set a password policy:
Each option provides a different coverage that narrows down the attack surface. Examples:
Password Entropy
Password entropy measures the unpredictability of a password or phrase, expressed in bits. Generally, higher bits of entropy indicate a more complex password, making it harder to crack. Usually, attackers will try to use common passwords and phrases, like birthdates, common names, and personal information.
These settings have a direct impact on the password entropy:
- Minimum password length.
- Require at least one lowercase letter.
- Require at least one uppercase letter.
- Require at least one number.
- Require at least one non-alphanumeric character.
Using an uncommon and complex password will make attackers work harder and longer to obtain the password.
Password Expiration
Descope allows forcing the user to change the password periodically, and to a different password from his previous password history Using this settings:
- Enable password expiration. Password expiration period.
- Prevent password reuse. Number of passwords to remember.
A password change can disrupt an attacker's progress in obtaining the password.
Account Lock
Descope allows locking the account after a certain amount of attempts using this setting:
- Lock account after X attempts.
Trying to guess a password might lead attackers to lock the account, this might raise a flag for the end user that he is being under attack and to change his account details.
OTP Based Authentication
Descope allows setting the expiration time for the code used in the OTP
and OTP
authentication methods.
In addition, Descope provides a strict retry policy:
- One-time Password - Maximum attempts are 3. The correct OTP code cannot be used anymore, and the user is not locked.
- Time(based) One-Time Password - Maximum attempts are 20 over 30 seconds. When reached, the user is locked.
Link Based Authentication
Descope provides the ability to set the link expiration for Magic Link
, Enchanted Link
, Embedded Link
and nOTP
.
Once the link expires, it is no longer available for use.