AuthenticationMethod

Defines authentication mechanisms available for identity verification including password, MFA, passwordless, biometric, and hardware tokens. Encapsulates security policies, enrollment rules, and availability conditions for each method. Enables adaptive authentication strategies based on security requirements, risk context, and user populations.

16 properties

Schema

Properties

Property	Type	Mode	Description	Required
name	string	stored	Unique identifier name for this authentication method Example: `"password-mfa"`	Required
displayName	string	stored	User-facing display name shown in authentication UI Example: `"Password + Two-Factor Authentication"`	Required
type	string	stored	Category of authentication method Values: `password, mfa, passwordless, biometric, social, federated, certificate, hardware-token` Example: `"mfa"`	Required
status	string	stored	Operational status of this authentication method Values: `enabled, disabled, beta, deprecated` Example: `"enabled"`	Required
description	string	stored	Detailed description of what this authentication method does and when it should be used Example: `"Combines password authentication with a second factor for enhanced security"`	Optional
configuration	json	stored	Method-specific configuration parameters including provider details, authentication flows, security settings, and integration requirements	Required
securityLevel	string	stored	Security assurance level provided by this method Values: `low, medium, high, very-high` Example: `"high"`	Required
requiresEnrollment	boolean	stored	Whether users must explicitly enroll before using this method Example: `true`	Required
allowedUserTypes	string[]	stored	Types of users allowed to use this method (e.g., employee, customer, partner, admin) Example: `["employee","admin"]`	Optional
isPrimary	boolean	stored	Whether this is a primary authentication method (first factor) Example: `true`	Required
isStepUp	boolean	stored	Whether this method can be used for step-up authentication (re-authentication for sensitive operations)	Optional
priority	number	stored	Display priority/order in authentication method selection UI (lower number = higher priority) Example: `10`	Optional
constraints	json	stored	Access constraints and conditions for this method (e.g., {allowedIpRanges: [], allowedCountries: [], allowedDeviceTypes: [], timeRestrictions: {}})	Optional
metadata	json	stored	Additional metadata including integration details, compliance certifications, supported standards	Optional
enrolledUsersCount	number	calculated	Number of users who have enrolled in this authentication method	Optional
activeUsersCount	number	calculated	Number of users actively using this method for authentication	Optional

Examples

Example 1

{
  "@type": "AuthenticationMethod",
  "name": "password-basic",
  "displayName": "Password",
  "type": "password",
  "status": "enabled",
  "description": "Traditional username and password authentication",
  "configuration": {
    "minLength": 12,
    "requireUppercase": true,
    "requireLowercase": true,
    "requireNumbers": true,
    "requireSpecialChars": true,
    "passwordExpirationDays": 90,
    "preventReuseCount": 5
  },
  "securityLevel": "medium",
  "requiresEnrollment": false,
  "allowedUserTypes": [
    "employee",
    "customer",
    "partner"
  ],
  "isPrimary": true,
  "isStepUp": false,
  "priority": 10
}

Example 2

{
  "@type": "AuthenticationMethod",
  "name": "webauthn-passkey",
  "displayName": "Passkey",
  "type": "passwordless",
  "status": "enabled",
  "description": "FIDO2 WebAuthn passwordless authentication using biometrics or security keys",
  "configuration": {
    "attestation": "none",
    "authenticatorAttachment": "platform",
    "requireResidentKey": true,
    "userVerification": "required",
    "timeout": 60000
  },
  "securityLevel": "very-high",
  "requiresEnrollment": true,
  "allowedUserTypes": [
    "employee",
    "customer"
  ],
  "isPrimary": true,
  "isStepUp": true,
  "priority": 5
}

Example 3

{
  "@type": "AuthenticationMethod",
  "name": "totp-mfa",
  "displayName": "Authenticator App",
  "type": "mfa",
  "status": "enabled",
  "description": "Time-based one-time password (TOTP) using authenticator apps",
  "configuration": {
    "algorithm": "SHA1",
    "digits": 6,
    "period": 30,
    "window": 1,
    "allowedApps": [
      "any-totp-compatible-app"
    ]
  },
  "securityLevel": "high",
  "requiresEnrollment": true,
  "allowedUserTypes": [
    "employee",
    "admin"
  ],
  "isPrimary": false,
  "isStepUp": true,
  "priority": 20
}

Example 4

{
  "@type": "AuthenticationMethod",
  "name": "sms-otp",
  "displayName": "SMS Code",
  "type": "mfa",
  "status": "enabled",
  "description": "One-time code sent via SMS to registered mobile phone",
  "configuration": {
    "codeLength": 6,
    "codeValiditySeconds": 300,
    "maxAttemptsPerCode": 3,
    "rateLimitPerHour": 5,
    "allowedCountryCodes": [
      "+1",
      "+33",
      "+44",
      "+49"
    ]
  },
  "securityLevel": "medium",
  "requiresEnrollment": true,
  "allowedUserTypes": [
    "customer",
    "partner"
  ],
  "isPrimary": false,
  "isStepUp": false,
  "priority": 30
}

Example 5

{
  "@type": "AuthenticationMethod",
  "name": "federated-oidc",
  "displayName": "Enterprise Single Sign-On",
  "type": "federated",
  "status": "enabled",
  "description": "OpenID Connect federation with corporate identity provider",
  "configuration": {
    "protocol": "oidc",
    "autoProvision": true,
    "requiredClaims": [
      "email",
      "name"
    ],
    "sessionDurationMinutes": 480
  },
  "securityLevel": "high",
  "requiresEnrollment": false,
  "allowedUserTypes": [
    "employee"
  ],
  "isPrimary": true,
  "isStepUp": false,
  "priority": 1,
  "constraints": {
    "allowedDomains": [
      "corp.example.com"
    ],
    "requiresManagedDevice": true
  }
}

Example 6

{
  "@type": "AuthenticationMethod",
  "name": "social-login",
  "displayName": "Sign in with Social Provider",
  "type": "social",
  "status": "enabled",
  "description": "Social login using external social provider credentials",
  "configuration": {
    "provider": "social-provider-a",
    "scopes": [
      "openid",
      "email",
      "profile"
    ],
    "autoLinkByEmail": true
  },
  "securityLevel": "medium",
  "requiresEnrollment": false,
  "allowedUserTypes": [
    "customer"
  ],
  "isPrimary": true,
  "isStepUp": false,
  "priority": 15
}

Example 7

{
  "@type": "AuthenticationMethod",
  "name": "biometric-face",
  "displayName": "Face Recognition",
  "type": "biometric",
  "status": "beta",
  "description": "Biometric authentication using facial recognition",
  "configuration": {
    "livenessDetection": true,
    "matchingThreshold": 0.95,
    "allowedDevices": [
      "ios",
      "android"
    ],
    "requiresSecureEnclave": true
  },
  "securityLevel": "high",
  "requiresEnrollment": true,
  "allowedUserTypes": [
    "employee"
  ],
  "isPrimary": true,
  "isStepUp": true,
  "priority": 8
}

Example 8

{
  "@type": "AuthenticationMethod",
  "name": "hardware-security-key",
  "displayName": "Hardware Security Key",
  "type": "hardware-token",
  "status": "enabled",
  "description": "Hardware security key authentication using FIDO2-compatible devices",
  "configuration": {
    "protocol": "fido2",
    "requiredFirmwareVersion": "5.0.0",
    "supportedTransports": [
      "usb",
      "nfc",
      "ble"
    ]
  },
  "securityLevel": "very-high",
  "requiresEnrollment": true,
  "allowedUserTypes": [
    "admin",
    "privileged-user"
  ],
  "isPrimary": false,
  "isStepUp": true,
  "priority": 2
}