Skip to main content

Authentication Overview

LumoAuth supports several authentication methods that you can combine per organization: email and password, passwordless magic links, social login, MFA, adaptive (risk-based) MFA, passkeys (WebAuthn/FIDO2), push notifications, enterprise SSO (SAML, OIDC federation, LDAP), and device authorization for input-constrained devices. Use this page to pick the right method for your users and to understand how all authentication flows plug into the OAuth 2.0 login pipeline.

Supported Authentication Methods

MethodDescriptionBest For
Email & PasswordCredential-based loginMost applications
Magic Link & Email-FirstPasswordless sign-in via emailed link; optional email-first UIConsumer apps, low-friction login
Social LoginOAuth/OIDC login via Google, GitHub, Microsoft, etc.Consumer apps
Multi-Factor AuthenticationSecond factor (TOTP, SMS, email, backup codes)Security-sensitive apps
Adaptive MFARisk-based, context-aware MFAReducing friction while keeping security high
Passkeys & WebAuthnFIDO2 passwordless authenticationPhishing-resistant login
Push AuthenticationMobile push notification approvalHigh-assurance, passwordless
Enterprise SSOSAML 2.0, OIDC federation, LDAP/Active DirectoryB2B and enterprise apps
Device AuthorizationInput-constrained device auth (RFC 8628)CLI tools, IoT, smart TVs

How Authentication Works in LumoAuth

The Login Flow

  1. User initiates login. Your application redirects the user to LumoAuth's authorization endpoint.
  2. LumoAuth presents the login page. Based on organization configuration, it shows email/password, social buttons, passkeys, magic link, etc.
  3. User authenticates. Enters credentials, clicks a social button, or uses a passkey.
  4. MFA challenge (if configured). A second factor is prompted based on policy or risk score.
  5. Consent (if needed). For third-party apps, the user approves the requested scopes.
  6. Redirect back. LumoAuth redirects to your app with an authorization code.
  7. Token exchange. Your app exchanges the code for access, ID, and refresh tokens.

Organization-Specific URLs

All authentication flows use organization-specific URLs:

Authorization:  /orgs/{orgId}/api/v1/oauth/authorize
Token:          /orgs/{orgId}/api/v1/oauth/token
User Info:      /orgs/{orgId}/api/v1/oauth/userinfo
OIDC Discovery: /orgs/{orgId}/api/v1/.well-known/openid-configuration

Each organization can independently configure:

  • Which authentication methods are enabled
  • Social login providers and their credentials
  • MFA policies and enforcement
  • Adaptive authentication risk thresholds
  • Password policies and complexity requirements
  • Email verification requirements

Authentication Configuration

Configure authentication for an organization at:

/orgs/{orgId}/portal/configuration/auth-settings

Available Settings

SettingDescription
Allow RegistrationEnable or disable user self-registration
Require Email VerificationUsers must verify their email before login
Password PolicyMinimum length, complexity, and rotation rules
MFA PolicyRequired, optional, or adaptive MFA
Adaptive AuthRisk-based authentication triggers
Session SettingsSession lifetime, concurrent session limits
Trusted DevicesRemember trusted devices to reduce MFA prompts

Choosing the Right Authentication Method

For Consumer Applications (B2C)

Start with Email/Password or Magic Link, plus Social Login for low-friction signup. Add Adaptive MFA to protect high-risk logins without adding friction for normal users.

For Business Applications (B2B)

Use Enterprise SSO (SAML 2.0 or OIDC) so employees can log in with their corporate identity provider. Layer on MFA enforcement for compliance.

For Machine-to-Machine

Use the Client Credentials grant type — no user interaction needed. See OAuth Clients and Applications Overview.

For CLI Tools and IoT

Use the Device Authorization Flow — display a code on the device, user authenticates on their phone or computer.

Security Features Across All Methods

Regardless of which authentication method you choose, LumoAuth provides:

  • Brute-force protection — rate limiting on login attempts.
  • CSRF protection — all forms include CSRF tokens.
  • Secure password hashing — bcrypt with a configurable cost factor.
  • Login attempt logging — every attempt is recorded in the audit log.
  • Session management — track and revoke active sessions.
  • Email verification — prevent account takeover via unverified emails.

Next Steps

Choose an authentication method to learn more: