Authentication
/
Password & passwordless
/
Passwords
Last updated

Password authentication

Frontegg's password authentication requires users to log in with an email and password, following OWASP security guidelines. These include rules around password complexity, expiration, and other security best practices designed to protect your users.

Password creation and management

Users create their own password during sign-up and can update it at any time through the self-service admin portal.

As an admin, you can configure additional password-related policies to meet your organization’s security requirements. These settings can be defined at the environment level or overridden per account if a stricter policy is needed. Many of these settings can also be configured by your end users via their self-service portal.

Password policy options

User lockout

Limit the number of incorrect login attempts before locking a user out. This is handled through Brute Force Protection, which you can configure in the Security section. Admins can apply stricter rules through the self-service portal.

locked-account

Password history

Prevent users from reusing previous passwords by requiring a certain number of new passwords before one can be reused. Admins can adjust this setting per account via the self-service portal.

locked-account

Password expiration

Set a maximum number of days before a password must be changed. When the expiration period is reached, users are prompted to reset their password. Admins can enforce a stricter expiration policy at the account level.

password-exipration

Password complexity

Define the rules for password strength (e.g., minimum length, special characters, mixed case). This can be configured at the environment level or per account if stricter rules are needed.

password-complexity

Password strength meter

Enable a strength meter to give users real-time feedback when creating, changing, or activating their password. This helps users choose more secure passwords.

password-stregnth-meter

Email verification

When using password as the main authentication strategy, you can enable email verification upon sign-up.

If enabled: users enter their email, receive an activation email, and set their password via a secure link. If disabled: users create their password directly on the sign-up page. Note: For passwordless login methods that rely on email, verification happens automatically upon successful login.

In the following sections, you’ll learn how to configure these settings at the environment, account, and end-user levels.