When setting up your app, there are a number of things relating to authentication, security, and sessions that you need to take in mind before going live. After all, you want your users to have a safe experience using your app.
Frontegg makes this easy but putting all your app settings in one place. Here, you can decide on things like multi-factor authentication, email verification, and more technical stuff like token expiration. But we'll get deeper into each one.
In the Frontegg Portal, head to the builder. In the top left corner of your screen, you should see two tabs: App Settings and Experience.
Multi-factor authentication (MFA) requires users to use 2 factors of authentication to gain access to a resource, such as an application or online account. It's here in App Settings that you can set up the general MFA requirements. Read more.
As a group, identity protection settings allow you to increase account security by requiring additional proof of identity beyond the typical login credentials. Read more.
Enable Email verification to ensure users use a real email address that belongs to them. Read more.
reCAPTCHA is an invisible protection layer for your app that stops fake users but lets the real ones in. Unlike older versions of reCAPTCHA, version 3 (which Frontegg uses) requires no user action so there is no friction added to your sign up flow. By toggling reCAPTCHA on in the App Settings, it will check all users are real on signup and login. Read more.
Just like a fingerprint, all devices have a certain uniqueness that allows us to differentiate them. Using this uniqueness, we can warn users when their account is accessed from a device they haven't used before - a device with a unique, unrecognized fingerprint. Read more.
If one of your authentication methods on the login page is password authentication, make sure you secure it with the following security options:
- Password complexity
- Password strength meter
- Exposed credential detection
- Password repeat protection
- Brute force protection
Read more about the password security option in this guide
For passwordless authentication, you can manage the code expiration time.
For better session security, set up the following token expiration -JWT token expiration and Refresh token expiration located under "Token expiration" tab.
Session management allows your accounts to control how user sessions behave. We provide you with three session management options
- Idle Session Timeout
- Force Relogin
- Maximum Concurrent Sessions
Read more about session management configurations here
Updated 6 months ago