Login Methods
By default, your project starts with password authentication. At any time, you can simply enable or disable password, passwordless, social login, or Single Sign-On (SSO) options within your dashboard — no code modifications needed.
Passwords
A classic login method, passwords are the most common way for users to sign up and log in to your app.
By default, we add extra security for your users by disallowing them from using common passwords. We also protect you from brute force attacks by limiting the number of failed login attempts.
Our default password policy is that we require >= 8 characters and a password that hasn't been in a previous breach. This (and two-factor authentication (2FA) available to everyone) matches the NIST recommendation for passwords.
If a user forgets their password, no problem. We handle the password reset flow with hosted pages and transactional emails - both of which are customizable.
Customize Password Requirements
You can customize your password requirements by length as well as the minimum number of uppercase characters, lowercase characters, digits, and special characters. You can also disable our added security of disallowing common passwords.
To customize your password requirements, head to the Signup / Login page and click the cog next to Password Login.
Passwordless / Magic Links
Passwordless authentication allows users to log in without a password. This is done by sending a login link to the user's email address.
We can manage the entire process for you through our hosted login page, including sending the email and verifying the one-time password. By default, the link will expire in 30 minutes.
If you would rather handle it yourself, you can use our API to create a magic link that a user can use to log in. This allows you to customize the expiration and the location the user is redirected to after logging in. Note that this doesn't send the email to the user, it just generates and returns the URL.
If you'd like to send emails from your own domain, check out our transactional emails docs or email us at support@propelauth.com and we'll help get you set up.
Social login / SSO
Social login / SSO allows your users to login using their existing social network accounts (e.g. Google, Github, Microsoft). It makes signing up simpler for your users, as they don't have to remember a password.
Enabling social logins with PropelAuth is a breeze since the majority of the work is done by your hosted authentication pages.
Instructions for enabling Social login are dependent on the specific social network you want to integrate with. Click here for a full list of providers with instructions.
If a user signs up with a social provider after signing up with their email address, their accounts will automatically be linked.
Additionally, if a user creates an account with Google SSO and then later with Github, for example, those accounts will be linked if the emails tied to the two match.
Social Account Linking
Social Account Linking allows users to connect external social accounts to their existing user account through the User Account Page, even when the social account uses a different email address. This feature is useful if a customer logs in with their work address but then wants to link their personal social account, such as LinkedIn or Google.
To enable Social Account Linking, navigate to the Settings tab in your Signup / Login page and enable the Allow users to link social accounts setting.
A user can then navigate to their User Account Page to link external social accounts. Alternatively, you can redirect the user to {AUTH_URL}/api/fe/v3/{provider}/link to send them directly to the provider's login flow. Click here for more information.
If you're wanting to get the user's access token for the social provider, you can do so by using the Fetch User OAuth Tokens endpoint.
Two-Factor Authentication (2FA)
The PropelAuth hosted account page has a 2FA enrollment UI that your users can use to enroll in 2FA, view their backup codes, and disable 2FA. You do not have to write any additional code to provide your users with 2FA. The hosted pages will take care of everything.
Forcing 2FA for all users
You can force all users to set up MFA by enabling the Require all users to set up 2FA setting in the Signup / Login page of your PropelAuth Dashboard. This will require all users to set up MFA before they can access your app.
Allow Organizations to Require 2FA
Instead of requiring 2FA globally, you can leave the option up to your users. In the Organization Settings page of your PropelAuth Dashboard, you'll find an option "Allow organizations to require 2FA". If enabled, organizations can enable or disable 2FA requirements for their members. Additionally, they can choose to enforce it immediately or in the future, in which case we'll proactively email the organization members that don't have 2FA set up yet.
Direct Users to Configure 2FA themselves
The last option is to enforce MFA yourself. This can be done on the frontend using any of our full-stack and frontend libraries, such as the UserClass from @propelauth/react.
import { useAuthInfo } from "@propelauth/react";
const { userClass } = useAuthInfo();
if (userClass.hasMfaEnabled) {
console.log("The user has MFA enabled")
} else {
alert("Please enable MFA in your account")
}
If the user does not have MFA configured, you can direct them to their Account page to enroll in MFA.
Enterprise SSO (SAML)
Enterprise SSO (SAML) allows your users to login using their existing enterprise accounts (e.g. Okta, OneLogin, Entra ID).
It's often a requirement for enterprise customers to use their existing enterprise accounts to login to your app.
We provide self-service UIs for your customers to set up their own SAML connections. You can read more about PropelAuth's SAML support here.
Restricting Login Methods
If you have multiple login methods enabled but want to show only specific login methods to some users, you can do so via the opt_hint query parameter. For example, if you only want your users to login via email/password, you can send them to:
{AUTH_URL}?opt_hint=pw
If you want to offer them two login methods, simply add a comma between values:
{AUTH_URL}?opt_hint=pw,pwl
Here is a full list of possible values for the opt_hint query parameter.
- Email/password =
pw - Passwordless =
pwl - SSO =
sso - Google =
gl - Gitlab =
gb - Github =
gh - Microsoft =
ms - Slack =
sl - LinkedIn =
li - Atlassian =
at - Apple =
ap - Quickbooks =
qb - Salesforce =
sf - Xero =
xr - Salesloft =
slf - Outreach =
ot - OTP =
otp
User Login Duration
You can control how long users stay logged in for in your dashboard. You can choose between your users staying logged in for a fixed amount of time or having them stay logged in as long as they remain active.
Prefilling the Email Field
If you would like to prefill the email field when redirecting a user to your login page, you can do so by using the e query parameter and base64 encoding the user's email address.
For example, you can redirect them to:
{AUTH_URL}/login?e=dGVzdEBleGFtcGxlLmNvbQ==
This will automatically populate the email field with "test@example.com".
Controlling Who Can Signup
PropelAuth offers multiple methods to control who can or cannot access your app. These settings can be found in the settings tab in your Signup / Login page.
Disable Public Signups
For each of your environments you have the ability to enable or disable public signups. If disabled, there will no longer be a signup page for that environment. However, users with the invite other users permission can still invite users to their org. You can also invite users manually to your application in the Users page.
Disable Personal Emails
You also have the option to enable or disable signups with personal emails. If disabled, users with common personal email domains (@gmail.com, @yahoo.com, etc.) will not be able to signup for your app.
Allow or Block Domains from Signup
If you want more control over who can signup for your app, the allowlist and blocklist feature allows you to create a list of domains to either allow access to or restrict from signing up for your project. The list of domains you provide must be pipe-delimited, for example:
example.com | example2.org | example3.gov