Authentication

Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. Porta provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server.

Authentication Flow

Porta offers the option to configure the flow how your users will authenticate when they login, the first way or flow would be Identifier + Password which represents a single login screen which it prompts users for their user identifier and their password. This is set as the default experience.

Which visually is represented in the flow below

Now, Porta also offers another flow which is Identifier First. Identifier-first authentication allows identifying the individuals prior to authenticating them. It retrieves the identity of the user without using authentication information and uses that identity to control the authentication flow.

Using this flow would display a single login screen which prompts users for their user identifier and their password afterwards if the identifier is correct.

Which visually is represented in the flow below

Authentication Settings

Password Strength is an important consideration when using passwords for authentication. A strong password policy will make it difficult, if not impossible, for someone to guess a password through either manual or automated means.The Password Settings feature allows the administrator to customize the level of enforced complexity for password enter during user sign-up or during the changing of a password via their account. 

In Porta, the following characteristics define a strong password:

  • Password Length: Longer passwords include a greater combination of characters making it more difficult to guess. Passwords shorter than 10 characters are considered weak.

  • Password Complexity: Passwords containing a combination of upper-case and lower-case letters, numbers, and special characters are typically recommended.

The following criteria are available for determining password complexity:

  • Lower case letter - will require that the password contains a lowercase letter.

  • Upper case letter - will require that the password contains an uppercase letter.

  • Number - will require that the password contains a number from 0 - 9.

  • Symbol - will require that the password contains at least one unique character (!@#$%^).

  • Does not contain the first name - will require that the first name cannot be used as part of the password.

  • Does not contain the last name - will require that the last name cannot be used as part of the password.

Once set, the new complexity requirements will be enforced on all subsequent user sign-ups and password changes. If a user has previously set a password that does not meet the newly created requirements, they will not be required to change their password to meet the new complexity requirements. If they reset their password, they will be obliged to meet the new complexity requirements. These requirements will be made visible to the user under ‘Change Password’ in their account when attempting to change their password. If the user enters a password that does not match the required criteria, the password will be rejected by Porta and the user will be asked to create one that complies with these requirements.

Please make sure to save the changes so that the new policies are enforced.

Passwordless Authentication

Passwordless authentication allows users to log in without the need to remember a password. Instead, users enter their email address and receive a one-time code or link, which they can then use to log in.

When a user authenticates via passwordless, the user is considered to have logged in using Porta as the identity provider. Please note that users may not necessarily use the same email address every time they authenticate; therefore, they may end up with multiple user profiles in the Porta datastore.

Supported authentication methods

Porta supports passwordless login through one-time-use codes and magic links sent via email. 

Code 

Send users a one time code which they may enter to login to their account. The code is valid for one login only and users will be sent a new code each time they try to login with passwordless login. 

Magic Link 

Send users a one time magic link which on click authenticates users on the device they requested the authentication. The link is valid for one login only and users will be sent a new link each time they try to login with passwordless login. Please be aware that depending on the browser, if the user is clicking on a device from which they did not make the request, they will either be authenticated or be shown a screen informing them that the login has been approved on the device the login was requested.

Limitations:

Please note that refresh tokens cannot be retrieved when using a passwordless magic link via email, only an OTP.

To select one of the options, click on the radio button provided next to each option. 

Configure passwordless login options

To make passwordless login available for your users, enable the passwordless login option by toggling on the option as shown below:

Enable passwordless login

When enabled, users may use passwordless login by clicking on the link provided on login screen as seen below:

Passworldess login view

On click of the Passwordless Login link, based on the email verification type selected, the user will be shown one of the following screens. 

With Identifier First Authentication, if magic link is selected as the passwordless login option, the user is shown the following screen:

Check your email view

With Identifier + Password Authentication, if magic link is selected as the passwordless login option, the user is shown a screen where they will be asked to input their email address where the magic link or code will be sent to. This must be a valid email address with which a user has an account.

The user is instructed to check their email for the magic link which has been sent. They may click the link to be logged in.

If code is selected as the passwordless login option, the user is shown the following screen:

Passwordless login via one time code (OTP)

Both passwordless login options - magic link and code, are valid for 5 minutes after the email is sent. If a user tries to login after the 5 minute timeframe, the link and/or the code will have expired and they will have to request authentication once again.