Breached Password
Password breaches have become a prevalent threat to online security, and apps, including yours, must take proactive measures to safeguard their users' sensitive information. Ideally, you want all your users to have fresh, unique passwords that haven’t been hacked. This is difficult, but Frontegg makes it easy. This guide will tell you about Frontegg’s Breached Password detection and how to configure it.
How it works
The breached password engine scans user passwords during the signups and login process and compares them to databases of known breached passwords. This is all done without exposing passwords.
If a match is found, appropriate actions can be taken, such as requiring the user to reset their password or implementing additional security measures.
Prerequisites
The following versions are equired to use this feature:
@frontegg/react v6.0.4
@frontegg/angular v6.4.0
@frontegg/vue v3.0.4
@frontegg/nextjs v8.0.4
Configuring Breached Password
Good to know
You only need to use breached password protection if you use Passwords as one of your authentication strategies.
All you need to do is choose what should happen when a breached password is detected: Allow, Challenge, or Block.
See the next section to learn more about how user experiences will be affected by each action.
Your User's Experience
Frontegg checks if passwords are breached in two different flows:
- Password use - like during login
- Password creation - like during signup or password changes
You can choose if users can use/create breached passwords or not. Just choose from one of the actions below:
| Action | User experience on login | User experience on password creation (signup or changing password) |
|---|---|---|
| Allow | 1. User continues to the app | User is allowed to create a password that is breached (e.g. 123456) |
| Challenge | 1. User must complete an MFA challenge 2. User continues to the app | User is not allowed to create a password that is breached |
| Block | 1. User sees a screen that their password is breached with a mandate to change their password immediately 2. Users go to their email and click a reset password | User is not allowed to create a password that is breached |
Notify End Users of Breached Passwords
In addition to the alert that informs users that their password is breached, you can also notify them by email.
Analyzing Breached Passwords in your App
Security Events
If you’re curious how many times breached passwords events happen in your app, you can see them over time, along with where they happened in Security Events.
Logs
Coming soon!
Updated 5 months ago