# Password Authentication

div
div
Client SDK
div
Backend API
div
Mobile approve
div
SSO
div
Sub-journey
> Authenticates the user with username and password


## Description

This step authenticates the user by validating their password credentials. Password credentials may be registered using the [Register Password](/guides/orchestration/journeys/register_password) or [Register Temporary Password](/guides/orchestration/journeys/register_temp_password) step.

The user's password credentials must be obtained before initiating this step, such as using a login form (see [Example](#example)). If the authentication succeeds, the journey sets the user context to the authenticated user and continues to the next step. Tokens generated for the authentication can be accessed in subsequent steps using `@policy.userContext()`.

If the password is expired, the authentication won't succeed. The expiration can be configured in the [Password settings](https://portal.transmitsecurity.io/authentication/methods/password) for the application. If expired, the journey proceeds to the password expired branch (if one is configured); otherwise the journey is aborted.

If the authentication fails for other reasons (e.g., incorrect password), the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client. When building a password solution, you'll need to consider how to handle the different error cases.

## Configuration

div
| Field | Description |
|  --- | --- |
| **Identifiers** | An identifier used to locate the user. Can be an external user ID, email, phone number, username, or a [custom identifier](/guides/user/manage_user_schema), if configured for B2C users in your tenant. |
| **Password** | Expression that yields the user's password. |
| **Org context** | **Only in B2B journeys**. Determines the organization for which the step is executed. By default, the step uses the org context previously set in the journey (e.g., using [Select organization](/guides/orchestration/journeys/select_organization) step). If set to "manual", you can provide an expression that yields the organization ID. |
| **Error Output Variable** | Name of the variable that stores any errors returned by step |
| **Failure Behavior** | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |
| **Password Expired Behavior** | Determines the behavior in case the user's password is expired, which either aborts the journey (default) or proceeds to a password expired branch of the control flow |


## Example

Consider a login form that collects username and password, created using the [Login Form](/guides/orchestration/journeys/login_form) step. In our example, the form ID is `loginForm`, the schema contains `username` and `password`, and the input will be stored in `loginData`.

Here we obtain the user identifier and password from the form output (`loginForm.username` and `loginForm.password`).

![](/assets/auth_password_ex1.5da7b02b0e19e7213a67ab016ae714070c7c45c62617721980d0232d4d2b7da6.6f9096f8.png)