Manage the authentication experience
Auth and access
Password authentication
Password authentication is where an end user supplies and maintains their own password to access your app or project.
Depending on your authentication needs and security requirements, you might be okay to allow users to authenticate with a password. However, we recommend using a more secure method, such as through one-time-passwords, or by adding multi-factor authentication to the sign in experience.
Passwords and identity verification
Link to this sectionTo reset a password for a user, or allow them to reset their own password, they need to have a verified contact identity such as an email in their Kinde profile. You’ll need this to securely set a temporary password or to trigger a password reset for a user.
Password visibility and encryption
Link to this sectionThe way Kinde is built ensures that user passwords can only be stored as hash-encrypted strings, meaning they are not visible and cannot be deciphered or accessed to be exploited. Neither you in your business or Kinde can see any passwords that a user has set.
Password strength
Link to this sectionKinde supports the following password requirements:
- 8 character minimum
- Blocking of 1,000,000 most common passwords
- 5 incorrect attempts locks account out for 5 minutes
- No complexity requirements or character limitations - combined with allowing long passwords, this provides better security and ease of use. For example, it’s harder for a computer to crack
FiremanSoccerPoodleLemonthanFireSoc!22, and also easier for a human to remember.
If using passwords for authentication, we do recommend adding multi-factor authentication as a requirement or option, for added security.
Options for resetting a password
Link to this sectionThere are several ways to reset a user’s password.
The user can select ‘forgot password’
Link to this sectionUser’s can trigger a password reset by selecting ‘forgot password’ when they attempt to sign in. When they do this, they will be sent a one-time passcode via email. When they enter the code, they will be prompted to reset their password.
Force a password reset via Kinde or API
Link to this sectionYou can trigger a password reset via the Kinde admin or via API. This is only suitable if you have an email for the user, as they will be sent a one-time passcode when they try to sign in next. They must enter the code to reset their password.
Issue a temporary password
Link to this sectionYou can set a single-use password for new or existing users via the Kinde admin or via the Kinde Management API. Once you set the password, you need to communicate it to the user via your own chosen method - it cannot be sent from Kinde.
The user enters the temporary password to sign up or sign in, then they set their own password.
Enable password authentication across apps
Link to this section- Go to Settings > Authentication.
- In the Password section, select Configure on the relevant password tile: Email + password or Username. A configuration window opens.
- Scroll to the bottom and switch password authentication on for the apps you want.
- Select Save.
Enable password authentication for a single app
Link to this section- Go to Settings > Applications.
- Select Configure on the relevant application tile.
- Select Authentication in the menu.
- Switch on the password options you want.
- Select Save.