Skip to Content
Admin ConsoleAuthentication Settings

Authentication Settings

The Authentication section of the Console controls which authentication methods are available to users of your tenant, and how those methods behave. Changes take effect immediately — no restart or deployment is required.


Social Providers

Auris supports nine OAuth 2.0 / OpenID Connect social providers. Enabling a social provider adds a corresponding login button to the hosted login page.

Supported Providers

ProviderProtocolNotes
GoogleOIDCMost widely used. Requires Google Cloud project.
GitHubOAuth 2.0Well-suited for developer-focused products
MicrosoftOIDCSupports both personal and work/school (Entra ID) accounts
AppleOIDCRequired for iOS apps that offer social login
FacebookOAuth 2.0Requires Facebook app with Login product enabled
DiscordOAuth 2.0Popular for community and gaming products
LinkedInOIDCProfessional identity, suited for B2B products
Twitter / XOAuth 2.0Developer API v2 required
SlackOAuth 2.0Suited for workspace-based products

Enabling a Social Provider

Open the Social Providers section

Go to ConsoleAuthentication and open the Social Providers tab.

Enable the provider

Click the toggle next to the provider name to enable it. The configuration fields expand.

Enter application credentials

For each provider, you must obtain a Client ID and Client Secret from the provider’s developer portal:

FieldDescription
Client IDThe application identifier from the provider’s developer console
Client SecretThe secret used to authenticate token exchange requests

Store these values in the provider’s configuration fields in the Console. They are stored encrypted at rest.

Configure the callback URL

Each provider requires you to register an Authorized Redirect URI (or Callback URL) in its developer portal. The required value is displayed in the Console next to the provider’s configuration form:

https://[your-auris-domain]/api/auth/social/callback

Register this URL exactly in the provider’s portal. The URL must match exactly — protocol, hostname, port, and path.

Set optional scopes

By default, Auris requests the minimum scopes needed to obtain the user’s email address and display name. To request additional scopes (for example, calendar.read for Google), enter them in the Additional Scopes field as a space-separated list.

When a user authenticates via a social provider for the first time, Auris creates a new user account using the email address returned by the provider. If an account with that email already exists, the social identity is linked to the existing account automatically (unless the existing account requires a different primary authentication method per your policy).


Magic links allow users to authenticate by clicking a link sent to their email address, without a password. The link contains a short-lived token that is valid for a single use.

Go to AuthenticationPasswordless and toggle Magic Links on.

Configuration Options

SettingDescriptionDefault
Allow SignupWhether new users can register using magic linksEnabled
Redirect URLThe page users are sent to after clicking the link and authenticatingTenant’s default post-login URL
Token ExpiryHow long the magic link remains valid (minutes)15

Allow Signup

When enabled, clicking a magic link for an email address that does not exist in your tenant automatically creates a new account. When disabled, magic links only work for existing users.

Disable this if you want to control user registration through invitation-only workflows or manual user creation.

Token Expiry

Magic link tokens are single-use and short-lived. After the configured expiry time, the link becomes invalid and the user must request a new one. The recommended range is 10–30 minutes.

For implementation details, see Magic Links.


SMS OTP

SMS OTP enables phone number-based authentication: a one-time code is sent via SMS and the user enters it to authenticate. SMS OTP can be used both as a primary passwordless factor and as a second factor for MFA.

Enabling SMS OTP

Go to AuthenticationSMS OTP and toggle it on.

Provider Configuration

Auris uses Twilio for SMS delivery in production. Configure your Twilio credentials:

FieldDescription
ProviderTwilio (production) or Console Logging (development — codes are printed to server logs, no SMS sent)
Account SIDYour Twilio Account SID (starts with AC)
Auth TokenYour Twilio Auth Token
Sender Phone NumberThe Twilio phone number or Messaging Service SID to send from

Use Console Logging mode during development and testing to avoid Twilio API charges.

Rate Limits

SMS OTP codes have built-in rate limiting to prevent abuse:

LimitValue
Maximum sends per phone per hour5
Minimum time between sends30 seconds
Maximum verification attempts per code5

If a user exhausts their attempts on a single code, they must request a new one.


MFA Settings

Multi-factor authentication (MFA) adds a second verification step after password authentication. Auris supports three MFA methods.

MFA Methods

MethodDescriptionSetup Required
TOTPTime-based OTP via authenticator apps (Google Authenticator, Authy, etc.)User scans QR code during enrollment
SMSOne-time code sent to the user’s registered phone numberUser must have a verified phone number
WebAuthnHardware security keys (YubiKey) or platform authenticators (Face ID, Windows Hello)User registers authenticator during enrollment

Enable or disable each method with the toggle on the MFA Settings page. At least one method must be enabled if MFA enforcement is configured.

MFA Enforcement Policy

PolicyBehavior
OptionalUsers can choose to enable MFA in their account settings. It is not required.
RequiredAll users must complete MFA enrollment before accessing the application. Users without MFA configured are redirected to the enrollment flow after their first login.
AdaptiveMFA is required dynamically based on risk score. Low-risk logins proceed without MFA; high-risk logins trigger an additional factor. See Adaptive MFA.

Recovery Codes

Recovery codes are single-use backup codes that allow a user to log in when their primary MFA device is unavailable. Configure recovery code settings:

SettingDescriptionDefault
Number of codesHow many recovery codes are generated per user10
Allow regenerationWhether users can regenerate their recovery codes (invalidates old ones)Enabled

Adaptive MFA

When the enforcement policy is set to Adaptive, Auris calculates a risk score for each login attempt based on five signals:

SignalWeightDescription
New deviceMediumDevice fingerprint not seen before for this user
New IP addressLowIP address not seen before for this user
New countryHighCountry of origin is new for this user
Impossible travelHighGeographic distance from last login is physically impossible in the elapsed time
VPN / proxyMediumIP is identified as a VPN exit node or proxy server

If the calculated risk score exceeds the configured threshold, MFA is required for that login. The exact weights and thresholds are configurable in Security SettingsSuspicious Login Detection.


Session Policies

Session policies control how long authenticated sessions remain valid and what happens to sessions when certain events occur.

Session Duration Settings

SettingDescriptionDefault
Access Token LifetimeHow long an access token remains valid before expiring3600 seconds (1 hour)
Refresh Token LifetimeHow long a refresh token remains valid2592000 seconds (30 days)
Idle Session TimeoutMaximum time a session can remain inactive before expiring1800 seconds (30 minutes)
Maximum Concurrent SessionsMaximum number of active sessions per user. 0 for unlimited.0 (unlimited)

Session Behavior on Security Events

EventConfigurable Actions
Password changeRevoke all other sessions immediately / Keep sessions
Account disabledRevoke all sessions immediately (always on)
Role changeToken refreshed with new roles on next refresh / Revoke all sessions

Note: Setting a low Idle Session Timeout (under 15 minutes) will cause frequent re-authentication for users on slow networks or who navigate away briefly. Balance security requirements against user experience for your audience.


Password Policy

The password policy applies to all email/password logins and to the password reset flow. Social login and passwordless methods bypass the password policy.

Strength Requirements

SettingDescriptionDefault
Minimum LengthMinimum number of characters required8
Require UppercaseAt least one uppercase letter (A–Z)No
Require LowercaseAt least one lowercase letter (a–z)No
Require NumberAt least one numeric digit (0–9)No
Require Special CharacterAt least one special character (!@#$%^&*)No

Additional Controls

SettingDescriptionDefault
Password HistoryPrevent reuse of the last N passwords. 0 to disable.0
HaveIBeenPwned CheckReject passwords that appear in known data breach databasesDisabled
Maximum Password AgeRequire password rotation after N days. 0 to disable.0

HaveIBeenPwned Check

When enabled, Auris checks the entered password against the HaveIBeenPwned  password database using a k-anonymity model — only the first five characters of the SHA-1 hash are sent, never the full password. This provides breach database protection without transmitting user passwords to third parties.

The HaveIBeenPwned check adds a small latency (typically 50–200 ms) to password validation requests. This check runs only on password creation and reset, not on every login.


SMTP Configuration

Transactional emails (magic links, MFA codes, password resets, invitations) are sent via your configured SMTP server. Go to SettingsSMTP to configure:

SettingDescription
SMTP HostHostname of your outbound mail server
PortSMTP port (typically 587 for STARTTLS, 465 for SSL)
UsernameSMTP authentication username
PasswordSMTP authentication password
Sender AddressThe From address for all outgoing emails (for example, [email protected])
Sender NameThe display name in the From header (for example, Acme Corp)
EncryptionSTARTTLS or SSL/TLS

Use the Send Test Email button to verify your SMTP configuration by sending a test email to your administrator account.

Popular SMTP providers: Amazon SES, SendGrid, Postmark, Mailgun, and self-hosted Postfix.