Passwords

The Passwords Authentication Method lets you authenticate end users using a secret string of characters known only to the user.

Descope recommends using an email address as the user identifier; this allows you to utilize passwordless methods like Magic Link in addition to passwords. These methods could be used for authentication when users forget their password or need to reset it easily.

Passwords with Flows

This guide will walk you through integrating Password-based authentication into your Descope Flows. Passwords are pretty self explanatory, but there are important aspects to how to manage their use in the flow screens and with flow actions.

Flow Actions

When using Passwords, you have the standard actions for most authentication methods available.

  • Sign Up / Password - Signs the user up, but will not work if user already exists
  • Sign In / Password - Signs the user in, but if the user doesn't exist it will fail.
  • Update Password - Will add a password, onto an existing user's identity for login capabilities.
  • Replace Password - Will allow a user to update their current password, using their existing password.
  • Send Password Reset - Will send a password reset email to the user, after typing in their email address.
  • Expire Password - Will allow admins to expire the current password for a logged-in user.

How to Use Password Actions

To learn more about Actions in general, you can refer to our guide on them.

Most of these actions are pretty simple, and you can drop them in your flow like any other Action.

This is an example of using the Sign In / Password action in a flow:

sign-in-flow-action

Flow Screens

When using Passwords, there are a few different screen components you can choose to use in your flow.

Email / Phone vs. Username

When using Passwords, it's common to use a username instead of a phone or email address as the unique login ID of the user. In that case, you'll want to make sure you use the Custom Login ID component, instead of the Email or Phone component in your flow to sign the user in and up. This is so that you can create any username you want, without it having to be a sanitized as an email address or phone number.

custom-login-id-component

You can just rename the component to Username, and whatever is used in that field will be what the sign up or sign in actions afterwards rely upon to identify the user in question.

Entering Passwords in Screens

There are two main components for entering a password.

  • Login Password - You use this component for your sign in screens. This will not work with new users and the sign up actions.
  • New Password - You use this component for your sign up screens. This will not work with existing users and the sign in actions.

New Password Component Features

The New Password component also has some additional features in the behavior tab, designed to help sign the user up more securely.

Password Confirmation

You can require a re-confirmation of the entered password with this feature enabled.

password-confirmation

Policy Previewer

If you have password strength enforcement enabled that will show as a bar under the password input even if the policy previewer is disabled.

You can have your users preview the password policy you set for them under Authentication Methods -> Passwords, as they are typing their new password.

policy-previewer-password

Tenant-Based Password Policies

You can define password policies at the tenant level, allowing different tenants to enforce different password strictness rules. Password policies are evaluated based on the tenant context available to the flow at runtime.

Once the tenant is known, Descope automatically enforces and exposes the corresponding password policy requirements so they can be displayed on password input screens.

There are two ways to configure tenant-level password policies in flows:

  • Hardcode the Tenant Slug in the Flow Component - This approach involves explicitly defining the tenant slug in the flow component. This ensures that the flow always applies the password policy associated with that tenant. Because the tenant is known upfront, the password screen can immediately enforce the correct password strictness and display the tenant-specific password requirements.

  • Separate Email and Password Inputs - This approach involves determining the tenant dynamically based on the user's email domain before displaying the password screen. The user is first prompted to enter their email address. The flow then resolves the tenant from the email domain and, once the tenant context is available, displays the password screen with the correct password policy for that tenant on the next screen.

Note

The password policy text shown in the policy previewer can be translated using Descope's Localization feature.

Error Handling

Error handling is handled like any other action. You can refer to our Flow Error Handling guide for more details.

PIN Codes as Passwords

In addition to traditional alphanumeric passwords, Descope also supports using PIN codes as the user's password.

PIN codes are simply shorter numeric passwords that can be collected using the One Time Code input component in your flow screens. From the perspective of authentication, PIN codes are treated the same as passwords and can be used with all the same flow actions (Sign In, Sign Up, Update, Replace, etc.).

This allows you to offer a simpler login experience in cases where full password complexity is not required, while still maintaining control through password policies and reset flows.

Was this helpful?

On this page