Password authentication
Frontegg's password authentication requires users to log in with a username and password, adhering to OWASP security guidelines. These include password complexity rules, such as character length, special characters, and mixed case, designed to strengthen security and protect against brute-force attacks.
Available password levels
Passwords can be applied at different levels:
- User-level passwords for individual user accounts. You can configure these settings through the self-service portal.
- Account-level passwords for specific accounts within an environment. You can configure these settings in the Frontegg portal.
- Environment-level passwords that apply to all accounts within a specific environment. You can configure these settings in the Frontegg portal.
Password configuration options per level
| Configuration | User level | Account level | Environment level | Notes |
|---|---|---|---|---|
| User lockout | ✅ Yes | ✅ Yes (Security Rules - Brute Force Protection) | ✅ Yes (Security Rules - Brute Force Protection) | Protects against repeated failed login attempts. |
| Password history | ✅ Yes | ❌ No | ✅ Yes | Prevents reusing recent passwords. |
| Password expiration | ✅ Yes | ✅ Yes | ✅ Yes | Defines expiration period & renewal prompt. |
| Password complexity | ❌ No | ✅ Yes | ✅ Yes | Easy, Medium, Hard complexity levels. |
| Email verification | ❌ No | ✅ Yes | ✅ Yes | Ensures users register with valid emails. |
User lockout
| Environment and Account Level | User Level |
|---|---|
| Set a limit on incorrect login attempts before action is taken. You can configure: - Threshold: Maximum failed attempts allowed. - Action: Lock the account or temporarily block attempts. - Notifications: Notify users and send an unlock email. | Set a limit on incorrect login attempts before an account is locked. You can configure: - Threshold: Maximum failed attempts allowed. |
Password history
Password history can be configured at user and environment levels to limit how many new passwords a user must set before reusing a previous one. Simply define the required number to enforce this restriction.
Password expiration
Password expiration can be configured at all levels to define the number of days before a password expires and users are prompted to reset it. Simply set the required number of days to enforce this policy.
Password complexity
Password complexity is a measure of how difficult a password is to guess. It is enforced at the account and environment level to ensure stronger security policies.
When users create a password, the complexity requirements will be displayed. To allow users to set a password, ensure email verification is enabled.
To set the complexity level of passwords allowed in your account, go to [ENVIRONMENT] → Authentication → Password, and choose from the following levels:
Easy - Minimum of 6 characters, and avoid 3 recurring characters.
Medium - Minimum of 8 characters, and four out of the four tests (uppercase, lower case, number, special character), and avoid 3 recurring characters.
Hard - Minimum of 10 characters, and four out of the four tests (uppercase, lower case, number, special character), and avoid 3 recurring characters.
Password strength meter
Enable the Password Strength Meter to help users create stronger passwords. This feature provides real-time feedback when users create, activate, or change their passwords.
To activate it, go to Builder → Login Box → Email Sign-On → Edit.
Email verification
Email verification is an account and environment-level setting that ensures customers register with a valid email address. When enabled, new users receive an activation email upon sign-up, prompting them to set a password. If disabled, users create a password directly on the sign-up page. Additionally, passwordless login methods that rely on a user's email will automatically verify the user upon successful login.