Password

SecureAuth Connect password authentication lets users sign in with a username and password. Password is one of the default enabled authentication methods and is often paired with a second factor like OTP, TOTP, or passkeys for stronger security.

Use cases

Password authentication fits when you need a familiar, universal sign-in method.

• Widely supported: Password requires no app install, phone number, or hardware key. Any user with credentials can sign in.
• Progressive security: Start with passwords, then layer on stronger methods. Users who enroll a passkey or TOTP can use those instead, while others continue with passwords.
• Regulatory requirements: Some industries or compliance frameworks still require password-based authentication as a baseline.
• Legacy integration: Applications migrating from other identity providers can maintain password-based sign-in during the transition.

Password is not the best fit as a standalone method for high-security environments. Pair it with a second factor (TOTP, passkeys, push notification) or consider passwordless methods for better protection against credential-stuffing and phishing.

Enable password as an authentication method

Password is enabled by default. To verify or re-enable it:

1. In your workspace, go to Authentication > Settings.
2. Select the Methods tab.
3. Select the Password check box.
4. Click Save.

Add password as a sign-in method

Add password as a first-factor or second-factor authentication method for your users.

1. Go to Users > Sign-in and Sign-up.
2. Under First-Factor Authentication Methods or Second-Factor Authentication Methods, click + Add method and select Password.
3. (Optional) To make password the preferred method shown at sign-in, click the three-dot menu and select Make Preferred. Only one method can be preferred per identity pool.
4. Click Save.

Configure password policy

Define password strength requirements, expiration rules, and hashing methods for users in an identity pool. Go to Users > Sign-in and Sign-up and expand the Password Policy section.

Setting	Description
Strength	Minimum password strength level. A strength meter shows users whether their password meets the required criteria.
Capital letters	Require uppercase characters.
Lowercase letters	Require lowercase characters.
Digits	Require numeric characters.
Minimum length	Minimum number of characters.
Password history	Number of previous passwords that cannot be reused.
Special characters	Require special characters.
Password expiration	Number of days before a password expires and must be changed.

For detailed steps and screenshots, see Configure password policies.

Password hashing

SecureAuth Connect hashes stored passwords using one of these methods:

• PBKDF2 — OWASP recommended
• Argon2 — Memory-hard hashing
• bcrypt — OWASP recommended
• SHA — RFC 3174

Configure the hashing method in Users > Sign-in and Sign-up > Password Settings.

See also

• Configure password policies
• Passkeys
• TOTP
• Multi-factor authentication (MFA)