UserAuthentication
Stores and manages all authentication credentials and security settings for a user account. This entity is the vault for sensitive authentication data, keeping passwords securely hashed and tracking login security metrics. It handles password management including expiration policies, change requirements, and history to prevent reuse. The entity monitors failed login attempts to detect and prevent brute force attacks by automatically locking accounts after suspicious activity. It maintains the last successful login details for security auditing and tracks overall account activity. By separating authentication data from the main User entity, the system ensures that sensitive credentials can be protected with stricter access controls and encryption. This is critical for maintaining account security and meeting compliance requirements for credential storage.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| userId | uuid | stored | Links to the user account this authentication belongs to | Required |
| passwordHash | string | stored | Password stored using one-way cryptographic hashing - original password cannot be recovered | Required |
| passwordSalt | string | stored | Random data added to password before hashing for extra security | Optional |
| passwordAlgorithm | string | enum | The cryptographic algorithm used to hash the password Values: | Optional |
| passwordLastChangedAt | DateTime | stored | When the password was last updated | Required |
| passwordExpiresAt | DateTime | stored | When the current password will expire and must be changed | Optional |
| mustChangePassword | boolean | stored | Forces user to change password on next login | Optional |
| passwordHistory | integer | stored | How many previous passwords to remember to prevent reuse | Optional |
| failedLoginAttempts | integer | stored | Counter of consecutive failed login attempts | Optional |
| failedLoginResetAt | DateTime | stored | When the failed attempts counter was last reset | Optional |
| lockedUntil | DateTime | stored | Account locked until this time due to security concerns | Optional |
| lastLoginAt | DateTime | stored | Timestamp of the most recent successful login | Optional |
| lastLoginIp | string | stored | IP address from the most recent successful login | Optional |
| lastActivityAt | DateTime | stored | Last time the user performed any authenticated action | Optional |
| passwordPolicy | PasswordPolicy | stored | Reference to the password rules this account must follow | Optional |
| version | integer | stored | Version number to handle concurrent updates safely | Optional |
| createdAt | DateTime | stored | When this authentication record was created | Required |
| updatedAt | DateTime | stored | Last time any authentication data was modified | Optional |
Examples
Example 1
{
"@type": "UserAuthentication",
"userId": "550e8400-e29b-41d4-a716-446655440000",
"passwordAlgorithm": "argon2id",
"passwordLastChangedAt": "2024-02-01T10:00:00Z",
"passwordExpiresAt": "2024-05-01T10:00:00Z",
"mustChangePassword": false,
"passwordHistory": 5,
"failedLoginAttempts": 0,
"lastLoginAt": "2024-03-15T08:30:00Z",
"lastLoginIp": "192.168.1.50",
"lastActivityAt": "2024-03-15T16:45:00Z",
"version": 3,
"createdAt": "2024-01-01T00:00:00Z",
"updatedAt": "2024-03-15T08:30:00Z"
}Example 2
{
"@type": "UserAuthentication",
"userId": "6ba7b810-9dad-11d1-80b4-00c04fd430c8",
"passwordAlgorithm": "bcrypt",
"passwordLastChangedAt": "2023-12-15T00:00:00Z",
"passwordExpiresAt": "2024-03-15T00:00:00Z",
"mustChangePassword": true,
"passwordHistory": 10,
"failedLoginAttempts": 3,
"failedLoginResetAt": "2024-03-15T14:00:00Z",
"lockedUntil": "2024-03-15T14:30:00Z",
"lastLoginAt": "2024-03-14T09:00:00Z",
"lastLoginIp": "203.0.113.99",
"lastActivityAt": "2024-03-14T17:30:00Z",
"version": 1,
"createdAt": "2023-12-15T00:00:00Z",
"updatedAt": "2024-03-15T14:00:00Z"
}