Skip to main content


Identity Cloud supports three types of authentication for the signup and login flows:

Different authentication methods can be configured for each authentication type.


To manage the registered authentication methods of users go to the Authentication methods tab of the users' details.

Single-factor authentication

Single-factor authentication requires only one authentication factor for successful authentication.

Identity cloud supports the following authentication methods for Single-factor authentication:

SFA Authentication


Password is the primary authentication method. The Password authentication method is always active and cannot be disabled.

You can configure the password policy for the passwords of your users.

Social login

Social login is a federated authentication method using social identity providers to verify the user's identity. Read more about how social login works.

You can enable or disable the social login for each added social login provider. Toggling the option determines whether the social login button of the corresponding social identity provider is displayed on the signup and login pages.


Specifics of the authentication steps and supported account types may vary by social identity provider. For example, only business Microsoft accounts may be used to sign up and log in through Identity Cloud.

Add social login

Before you can manage the authentication method Social Login, you need to add and configure the corresponding social identity provider.

Disable social login

If you disable social login, every user who only signed up with Social login needs to register a Password by using the Password reset flow.

User-facing flows with social identity providers

During signup with social identity providers, the user may be prompted to allow Identity Cloud to use their information from the social identity provider. Denying access to the information terminates the signup flow.

Multi-factor authentication

Multi-factor authentication provides another layer of authentication on top of logging in with a password.

Identity cloud supports the following second factors for Multi-factor authentication:

At least one of the authentication methods, Time-based-one-time password or SMS needs to be enabled as a second factor.

Recovery codes are always active as a fallback method and cannot be disabled.


If you enable multi-factor authentication, every user who only signed up with Social login needs to register a Password by going through the Password reset flow.

MFA Authentication


By default, the Password authentication method is always active and used as the first authentication factor. For more information, see Password.

Time-based one-time password

The method Time-base one-time password uses passwords generated by a third-party authenticator application for authentication of the users.

MFA signup TOTP MFA login TOTP


The authentication method SMS uses one-time passwords sent to the Phones of the users for authentication.


Before you can manage the authentication method SMS, you need to configure an SMS provider.

MFA signup SMS MFA login SMS

Recovery codes

The method Recovery codes uses 16 generated recovery codes to authenticate users. Each recovery code can only be used once. The Recovery codes can be copied, downloaded, or printed to store them in a safe place. A new set of recovery codes is automatically generated for a user after a completed login if all 16 recovery codes have been used.

The method Recovery codes is always active and cannot be disabled. The Recovery codes authentication method provides a fallback authentication method in case a user does not have access to phone or the authenticator app.

MFA signup recovery codes MFA login recovery codes

Passwordless authentication

Supported passwordless authentication methods

Identity cloud supports the following authentication methods for Passwordless authentication:

Passwordless Authentication


The method Passkey uses face recognition, recognition by fingerprint, or any other means to unlock a user's device to authenticate. The method is always active and cannot be disabled. The Passkey authentication method requires a passkey-capable device.

Passkey support dependencies

During user-facing flows, such as signup, login and account recovery flows, the user is offered passkey authentication options only if the device they are using supports passkey authentication.

Passkeys are based on the FIDO2 and Web Authentication standards.

MFA signup recovery codes

The support of passkeys is currently rolling out and depends on:

  • The device type and its built-in capabilities.
  • The native operating system of the device and its capabilities.
  • The browser type, browser version and its capabilities.

Custom domain changes and passkey

Setting up your custom domain changes the origin for the passkey authentication method. Existing passkeys become invalid and users need to register new passkeys for your custom domain. For more information, see Custom domains.

Email code

The method Email code sends a one-time code to the email of the users for authentication. The method is always active and cannot be disabled. The Email code authentication method provides a fallback method when no passkey-capable device is available.

MFA signup recovery codes

Social login

The Social login authentication method can be configured as a further alternative beside the Passkey and the Email code. For more information, see Social login.

Bot protection

Identity cloud included CAPTCHAs in the signup and login flows to provide Bot protection.

We use Google's reCAPTCHA Enterprise solution.

You cannot disable the CAPTCHA feature.