Customize login methods

Mosaic allows you to customize how users authenticate across the apps in your tenant. You can define which authenticators are available per app, configure their behavior and lockout policy, and control how authentication status is tracked and managed across apps and devices (Admin Portal > B2C or B2B Identity based on your setup > Authentication Methods).

To learn how to manage and strategize with authenticators, see Manage authenticators

Passkeys

Important

To use passkeys, make sure you’ve integrated the appropriate SDK for your platform: Android SDK quick start, Web SDK quick start, or iOS SDK quick start.

Passkeys let users authenticate with device-based authenticators such as Apple Touch ID, Windows Hello, or hardware security keys. They offer a seamless and phishing-resistant login experience.

  • Relying Party ID : define the domain to which WebAuthn credentials are registered and used for authentication. Set it to your application’s domain (e.g., example.com ). Mosaic accepts any origin that matches this domain, including all subdomains.
  • Relying Party Origins : toggle this option to specify platform-specific origins.
    • Web : toggle the Relying Party Origins to restrict usage to specific subdomains. Add one or more subdomains of the Relying Party ID, ensuring to provide the full URL.
    • iOS : use ios:bundle-id:YOUR_APP_BUNDLE_ID , where YOUR_APP_BUNDLE_ID is your iOS app unique identifier. This is the origin that will be provided when requesting passkeys registration and authentication.
    • Android use android:apk-key-hash:YOUR_APK_KEY_HASH , where YOUR_APK_KEY_HASH is your base64 encoded sha256 hash of your apk signing certificate. This is the origin that will be provided when requesting passkeys registration and authentication.
  • Enforce single passkey per ecosystem : when enabled, each username will have only one active passkey per ecosystem (Apple or Android). Registering a new passkey replaces any existing one within the same ecosystem.
  • Lockout policy : define how passkey authentication handles failed attempts, including the number of allowed failures before lockout , the duration of the lockout period (in minutes), and the interval after which failed attempts are reset if the threshold hasn’t been reached.
Note
  • Passkeys are device-based authenticators scoped per device per app. For more about authenticator scoping models (global, per app, or per device), see Manage authenticators .
  • Unlocking applies per app and resets the lockout status for all passkeys registered by the user in that app. Use the Unlock authenticators API to unlock locked passkey authenticators.

Passwords

The password settings let you define your app’s password policy:

  • Complexity : configure the strength of your password policy by selecting requirements such as uppercase and lowercase letters, special characters, numbers, and more. The UI provides guidance as you select the appropriate options.
  • Expiration : set the password expiration policy. You can define an expiration period (in days), or choose to let passwords never expire. Enabling Allow password to never expire overrides the Expiration time setting. The UI provides guidance as you select the appropriate options.
  • Password history : control whether users can reuse recent passwords. When enabled, it prevents the reuse of past passwords and activates the Number of last passwords field, where you can define how many previous passwords to block.
  • HIBP : prevent users from setting passwords that have been exposed in known data breaches, using the Have I Been Pwned (HIBP) service.
  • Dictionary : block passwords that appear in a predefined dictionary of weak or banned terms. The dictionary is managed by you via API.
  • Lockout policy : define how many failed login attempts trigger a temporary lockout, and set the lockout duration (in minutes).
  • Password reset policy : configure the expiration time (in minutes) for password reset links, and the length of the reset OTP. You can also require MFA during password reset as an extra layer of security, and choose to send an email notification to the user when a password is updated.
  • Temporary password : set how long temporary passwords remain valid (in hours).

Additionally, you can customize the appearance of the Reset password email by choosing a custom color to apply to buttons and dynamic content such as email addresses.

Note
  • Passwords are scoped per app. Each application manages its own password configuration and status for the user. For more about authenticator scoping models (global, per app, or per device), see Manage authenticators .
  • Unlocking applies only to the specific app where the password is locked. Use the Unlock authenticators API to unlock locked

Email magic links

The email magic link settings let you configure the following:

  • Set the validity period of the magic link in minutes ( Expires in ).
  • Define the maximum number of magic links that can be sent to a user per minute ( Allowed magic links to send a user per minute ). If the threshold is reached, the API returns a 429 error indicating too many requests.
  • Customize the Email template appearance by selecting a custom button color and dynamic content such as email addresses.
Note

The From field displays the value of Application name (as configured in the app settings) as the sender. This value cannot be modified.

One-time passcodes

The one-time passcode settings let you define your OTP policy, regardless of the delivery method (email or SMS sent via Mosaic or external providers):

  • Expiration time : set how long the OTP remains valid (in minutes).
  • Lockout duration : define how long the user must wait before they can try again.
  • Failed attempts allowed before lockout : set the number of failed attempts that trigger a temporary lockout.
  • Code length : set the length of the one-time code.

The OTP emails section lets you customize the appearance of OTP emails by choosing a button color and dynamic content such as email addresses. You can also preview the login, sign-up, and verification email templates.

Note
  • Email and SMS OTPs are tenant-wide authenticators. For more about authenticator scoping models (global, per app, or per device), see Manage authenticators .
  • Their lockout status applies across all apps, and unlocking affects the OTP usage in every application. Use the Unlock authenticators API to unlock locked OTP authenticators.

TOTP

Important

To use TOTP authentication, configure it following the platform-specific guides: Login with TOTP (Web), Custom TOTP generator with iOS, or Custom TOTP generator with Android.

Time-based one-time password (TOTP) authentication lets users log in with codes generated by authenticator apps such as Google Authenticator or Microsoft Authenticator

  • Window size : define how many token intervals before and after the current code are considered valid. Acceptable values range from 0 to 5.
  • Issuer : the name of the app shown in the user's authenticator app. This field is pre-filled and not editable.
  • Failed attempts : set the number of incorrect code entries allowed before triggering a lockout.
  • Lockout duration : define how long (in minutes) the user must wait before they can try again.
Note

Modifying the following values can cause compatibility issues with public authenticator apps.

  • Hash algorithm : select the HMAC hash algorithm used to generate the tokens. Default: SHA-1 .
  • Token digits : set the length (in digits) of the generated token. Default: 6 .
  • Token period : define how long (in seconds) each TOTP code remains valid. Default: 30 .
Note
  • TOTP authenticators are scoped per app. A user may have separate TOTP credentials in different applications. For more about authenticator scoping models (global, per app, or per device), see Manage authenticators .
  • Unlocking affects only the specific app instance where the authenticator is locked. Use the Unlock authenticators API to unlock locked TOTP authenticators.

PIN codes

Mobile PIN authentication lets users log in to their app using a PIN code that they choose specifically for the app. This ensures a secure and user-controlled experience, while the credential remains protected by the device's security hardware. The PIN authentication settings allow you to configure the lockout policy in case of repeated failed attempts:

  • Failed attempts : set the number of incorrect PIN entries allowed before triggering a lockout.
  • Lockout duration : define how long the user must wait before they can try again.

These settings apply to users authenticating with their app-specific PIN code and help prevent brute-force attempts.

Note
  • PIN codes are scoped per device per app. This means a user can:
    • Register different PINs for the same app on different devices.
    • Register different PINs for different apps on the same device.
    • Use the same PIN value across apps or devices, but each registration is distinct and independently managed. For more about authenticator scoping models (global, per app, or per device), see Manage authenticators .
  • Unlocking applies per app and resets the lockout status for all registered PINs of the user in that app. Use the Unlock authenticators API to unlock locked PIN authenticators.