Set up sign in and sign up methods
Define how users authenticate when signing in and whether users in a specific Identity Pool can self-register for an account.
Accessing Sign-in and Sign-up settings
Navigate to the Sign-in and Sign-up section:
- Workspace level: In your workspace, go to Users and select the Sign-in and SSO tab.
- Tenant level: Go to Tenant Settings (gear icon) > Sign-in and Sign-up.
Sign-in configuration options
First-factor authentication methods
Enable the authentication methods users can choose from at login. Click + Add method to enable a method. If this button is greyed out, all available methods are already enabled as either first or second-factor methods.
Optionally, set one method as preferred by clicking Make Preferred. The preferred method displays prominently on the login page, while other enabled methods appear as secondary options. If no method is set as preferred, all enabled methods display equally for users to choose from.
Use the three dots menu on each enabled method to Make Preferred, Move to 2FA, or Remove it.
Available first-factor authentication methods:
| Method | Description |
|---|---|
| Password | Users log in with a password. |
| TOTP | Users enter a time-based code from their mobile authenticator app. |
| Email OTP | Users receive a one-time passcode (OTP) sent to their email address. |
| Passkey | Users authenticate with FIDO2 devices like YubiKey or Touch ID, using physical or biometric keys instead of passwords. |
| QR Code | Users scan a QR code with a mobile device to authenticate. |
| Symbol | A symbol displays on the login page and on the user's mobile device in the SecureAuth Authenticate mobile app. Users tap the matching symbol on their mobile device to authenticate. |
| Push | Users receive a push notification on their mobile device to approve or deny the sign-in request. |
Second-factor authentication methods
Optionally require a second authentication step after first-factor authentication for additional security. Your second-factor method must be different from your first-factor method. Add a new second-factor method or move an existing first-factor method to 2FA using the three dots menu and selecting Move to 2FA.
Other sign-in configurations
Allow users to log in without 2FA if not configured Select this check box to let new users who haven't configured their MFA factors complete their initial login without a second authentication step. This allows them to access the platform and set up their MFA methods afterward.
Reduce 2FA verification on same device
Select this check box to skip 2FA prompts on remembered devices for a set period. You can adjust the duration or disable it by setting it to 0s.
Level of Assurance Threshold (LOA) Sets the minimum confidence level required for authentication. If the real-time LOA score falls below this threshold, users must complete a second authentication step. Confidence levels:
- Low (30%): New users or logins from unknown devices.
- Medium (60%): Repeated logins from the same device increase confidence over time.
- High (80%): High trust based on device characteristics.
For more information, see Risk Engine: Smarter security in action and Risk analyzers.
Sign-in Identifier Settings Select this check box to allow case-insensitive email and username entry during sign-in.
Sign-up registration mode
Configure how users can register for accounts in this Identity Pool.
| Setting | Description |
|---|---|
| Self-registration | Enable or disable user self-registration. |
| Admin Initiated Registration | Allow admins to register users manually (enabled by default). Change only through the API. |
Save your changes
After configuring your sign-in and sign-up preferences, click Save to apply the changes.
User sign-in workflow with mobile push
After users install and pair the SecureAuth Authenticate app, here's how they experience the authentication methods you've configured:
-
User launches the application and arrives at the login page.
The page displays Log in with SecureAuth QR because the admin set QR Code as the preferred method. Secondary options (Password, Passkey, Email OTP, Push, Symbol) appear below.
-
User chooses an alternative method - In this example, they click Symbol instead of using the preferred QR method.
The page updates to prompt for their email address.
-
User enters credentials and continues to the next authentication step.
The page displays the symbol (in this case, "9") and prompts the user to tap the matching symbol on their mobile device in the SecureAuth Authenticate app.
-
User completes authentication by tapping the matching symbol on their mobile device, and the application grants access.
