Breached password

Password breaches have become a prevalent threat to online security, and apps, including yours, must take proactive measures to safeguard their users' sensitive information. Ideally, you want all your users to have fresh, unique passwords that haven’t been hacked. This is difficult, but Frontegg makes it easy. This guide will tell you about Frontegg’s Breached Password detection and how to configure it.

How it works

The breached password engine scans user passwords during the signups and login process and compares them to databases of known breached passwords. This is all done without exposing passwords.

If a match is found, appropriate actions can be taken, such as requiring the user to reset their password or implementing additional security measures.

🚧

Prerequisites

The following versions are equired to use this feature:

@frontegg/react v6.0.4
@frontegg/angular v6.4.0
@frontegg/vue v3.0.4
@frontegg/nextjs v8.0.4

Configuring Breached Password

📘

Good to know

You only need to use breached password protection if you use Passwords as one of your authentication strategies.

All you need to do is choose what should happen when a breached password is detected: Allow, Challenge, or Block.

See the next section to learn more about how user experiences will be affected by each action.

Your User's Experience

Frontegg checks if passwords are breached in two different flows:

  1. Password use - like during login
  2. Password creation - like during signup or password changes

You can choose if users can use/create breached passwords or not. Just choose from one of the actions below:

ActionUser experience on loginUser experience on password creation (signup or changing password)
Allow1. User continues to the appUser is allowed to create a password that is breached (e.g. 123456)
Challenge1. User must complete an MFA challenge 2. User continues to the appUser is not allowed to create a password that is breached
Block1. User sees a screen that their password is breached with a mandate to change their password immediately 2. Users go to their email and click a reset passwordUser is not allowed to create a password that is breached

👍

Notify End Users of Breached Passwords

In addition to the alert that informs users that their password is breached, you can also notify them by email.

Analyzing Breached Passwords in your App

Security Events

If you’re curious how many times breached passwords events happen in your app, you can see them over time, along with where they happened in Security Events.