Authentication
Identity Cloud supports three types of authentication for the signup and login flows:
Different authentication methods can be configured for each authentication type.
To manage the registered authentication methods of users go to the Authentication methods tab of the users' details.
Single-factor authentication
Single-factor authentication requires only one authentication factor for successful authentication.
Identity cloud supports the following authentication methods for Single-factor authentication:
- Password
- Social login with
- Apple
- Microsoft

Password
Password is the primary authentication method. The Password authentication method is always active and cannot be disabled.
You can configure the password policy for the passwords of your users.
Social login
Social login is a federated authentication method using social identity providers to verify the user's identity. Read more about how social login works.
You can enable or disable the social login for each added social login provider. Toggling the option determines whether the social login button of the corresponding social identity provider is displayed on the signup and login pages.
Specifics of the authentication steps and supported account types may vary by social identity provider. For example, only business Microsoft accounts may be used to sign up and log in through Identity Cloud.
Add social login
Before you can manage the authentication method Social Login, you need to add and configure the corresponding social identity provider.
Disable social login
If you disable social login, every user who only signed up with Social login needs to register a Password by using the Password reset flow.
User-facing flows with social identity providers
During signup with social identity providers, the user may be prompted to allow Identity Cloud to use their information from the social identity provider. Denying access to the information terminates the signup flow.
Multi-factor authentication
Multi-factor authentication provides another layer of authentication on top of logging in with a password.
Identity cloud supports the following second factors for Multi-factor authentication:
At least one of the authentication methods, Time-based-one-time password or SMS needs to be enabled as a second factor.
Recovery codes are always active as a fallback method and cannot be disabled.
If you enable multi-factor authentication, every user who only signed up with Social login needs to register a Password by going through the Password reset flow.

Password
By default, the Password authentication method is always active and used as the first authentication factor. For more information, see Password.
Time-based one-time password
The method Time-base one-time password uses passwords generated by a third-party authenticator application for authentication of the users.
SMS
The authentication method SMS uses one-time passwords sent to the Phones of the users for authentication.
Before you can manage the authentication method SMS, you need to configure an SMS provider.
Recovery codes
The method Recovery codes uses 16 generated recovery codes to authenticate users. Each recovery code can only be used once. The Recovery codes can be copied, downloaded, or printed to store them in a safe place. A new set of recovery codes is automatically generated for a user after a completed login if all 16 recovery codes have been used.
The method Recovery codes is always active and cannot be disabled. The Recovery codes authentication method provides a fallback authentication method in case a user does not have access to phone or the authenticator app.
Passwordless authentication
Supported passwordless authentication methods
Identity cloud supports the following authentication methods for Passwordless authentication:
- Passkey
- Email code
- Social login with
- Apple
- Microsoft

Passkey
The method Passkey uses face recognition, recognition by fingerprint, or any other means to unlock a user's device to authenticate. The method is always active and cannot be disabled. The Passkey authentication method requires a passkey-capable device.
Passkey support dependencies
During user-facing flows, such as signup, login and account recovery flows, the user is offered passkey authentication options only if the device they are using supports passkey authentication.
Passkeys are based on the FIDO2 and Web Authentication standards.
The support of passkeys is currently rolling out and depends on:
- The device type and its built-in capabilities.
- The native operating system of the device and its capabilities.
- The browser type, browser version and its capabilities.
Custom domain changes and passkey
Setting up your custom domain changes the origin for the passkey authentication method. Existing passkeys become invalid and users need to register new passkeys for your custom domain. For more information, see Custom domains.
Email code
The method Email code sends a one-time code to the email of the users for authentication. The method is always active and cannot be disabled. The Email code authentication method provides a fallback method when no passkey-capable device is available.
Social login
The Social login authentication method can be configured as a further alternative beside the Passkey and the Email code. For more information, see Social login.
Bot protection
Identity cloud included CAPTCHAs in the signup and login flows to provide Bot protection.
We use Google's reCAPTCHA Enterprise solution.
You cannot disable the CAPTCHA feature.