Email & Password Authentication
The most common authentication method. Users register with an email address and password, then log in with those credentials.
How It Works
- Registration - User provides email, name, and password
- Email Verification - LumoAuth sends a verification email with a unique link
- Login - User enters email and password
- MFA (if configured) - Second factor challenge
- Session Created - User receives tokens and a session cookie
Configuration
Navigate to Configuration → Auth Settings at:
/t/{tenantSlug}/portal/configuration/auth-settings
Enable Registration
Toggle Allow Registration to let users self-register. When disabled, users can only be created by admins or through invitations.
Email Verification
Toggle Require Email Verification to prevent unverified users from logging in. When enabled:
- A verification email is sent immediately after registration
- Users cannot authenticate until they click the verification link
- Verification tokens expire after a configurable period
- Users can request a new verification email
Password Policy
Configure password requirements:
| Setting | Description | Recommended |
|---|---|---|
| Minimum Length | Minimum number of characters | 12+ |
| Require Uppercase | At least one uppercase letter | Yes |
| Require Lowercase | At least one lowercase letter | Yes |
| Require Numbers | At least one digit | Yes |
| Require Special Characters | At least one symbol | Optional |
Passwords are hashed using bcrypt before storage - plain text passwords are never stored.
User Registration Flow
Self-Registration
Users can register at the default registration page:
/register
The registration form collects:
- Email address
- Full name
- Password (validated against password policy)
After registration:
- An email verification link is sent
- The user is redirected to a "check your email" page
- Clicking the verification link activates the account
Admin-Created Users
Admins can create users directly at:
/t/{tenantSlug}/portal/access-management/users/create
Admin-created users can optionally:
- Have a pre-set password
- Skip email verification
- Be assigned roles immediately
Invited Users
Invite users via email at:
/t/{tenantSlug}/portal/access-management/invite-users
Invitation flow:
- Admin enters email addresses and selects roles
- Invitation emails are sent with unique registration links
- Invited users complete registration (setting their password)
- Pre-assigned roles are automatically applied
Login Flow
The login page is presented at:
/login
Or within an OAuth flow:
/t/{tenantSlug}/api/v1/oauth/authorize?...
Login Process
- User enters email and password
- LumoAuth validates credentials against stored bcrypt hash
- If MFA is enabled → redirect to MFA challenge
- If adaptive auth is enabled → risk score is calculated
- Low risk → login succeeds
- Medium risk → MFA challenge triggered
- High risk → login blocked
- On success → authorization code or session issued
Failed Login Handling
- Failed attempts are logged in the audit trail
- After configurable failed attempts, the account may be temporarily locked
- IP-based rate limiting prevents brute-force attacks
- Notifications can be sent to users about suspicious login attempts
Password Reset
Users can reset their password at:
/auth/forgot-password
Reset Flow
- User enters their email address
- LumoAuth sends a password reset email with a secure, time-limited token
- User clicks the link and sets a new password
- All active sessions are optionally invalidated
Security Measures
- Reset tokens expire after a configurable period
- Tokens are single-use
- The reset link includes a cryptographically secure random token
- Rate limiting prevents abuse
Email Templates
Customize the emails sent during authentication at:
/t/{tenantSlug}/portal/configuration/email-templates
Available templates:
| Template | Sent When |
|---|---|
| Welcome | User registers successfully |
| Email Verification | Account needs email verification |
| Password Reset | User requests a password reset |
| MFA Setup | MFA is enrolled for the first time |
| Login Alert | Suspicious login detected (adaptive auth) |
Related Guides
- Multi-Factor Authentication - Add a second factor to email/password login
- Adaptive MFA - Risk-based MFA enforcement
- Social Login - Add social login buttons alongside email/password