Skip to content


Authentication is a key functionality of Users are authenticated at the requested authentication levels using authentication modules that can fulfil the authentication request.

We understand authentication in its broadest sense. Traditionally, users are authenticated by username and password. But this way of authentication is just one out of many optional authentication modules. The authentication tree is completely customizable.

What is unique is that allows registration, activation and password forgotten modules to be seen as special forms of authentication. This is beneficiary for clients connecting to as this provides control over the process. It also allows for example to log in someone automatically after someone registers or activates his or hers accounts.

By assigning authentication levels to authentication modules, clients ensure users securely access their services.

Module concepts

Each module has the following options to configure.

  • Module name
  • Remember
  • Remember time
  • Authentication Levels
  • Module state
  • Show only when needed

Module Name

The name of the module is presented to user when prompted to pick an authentication method.


Configure if a successful authentication should be remembered for this module. In either a (persistent) cookie or a session cookie.

Remember Time

How long to remember a successful authentication. For session cookies, the authentication result is forgotten as soon as the web browser is closed.

Authentication Level

Specify one or more authentication levels for this module. After the authentication chain has been completed, the levels passed are stored in the acr claim. This claim is retrievable from the id_token and from the userinfo endpoint.

A client may also specify the required authentication level using the OpenID Connect acr_values query-parameter. See documentation/openidconnect.

Module State

A disabled module is never presented to an end-user.

Show only when needed

This option ensures a certain module is only presented when one explicitly requests this module, using the acr_values parameter.

Authentication modules

The following authentication modules are currently supported by This list is subject to change.


Log in with your username or email, and password. Users must exist in your tenant. Either because you have created them or because they have registered themselves using the registration module.

Time-based One-Time Password

Time-based One-Time Password (TOTP) is a well known authentication method for second-factor authentication (2FA). It is most used in combination with the Google Authenticator app.


You can safely configure the TOTP module as a second-factor. By default, this module must only be succesfully passed for users who have configured TOTP for their user account.

OpenID Connect (remote provider)

Configure a remote OpenID Connect provider as an authentication module. This allows users to log in via your tenant, without registering first.


The activation module sends an email to the user with an activation link.

If this module is used as a first factor, it prompts for the user's username or email.

If this module is used as a second factor, it sends a mail to the user without prompting.

After having send the e-mail, the module shows a success message.


In most set-ups, a user has multiple ways to activate his account. For example, many services consider a login with a Facebook or Google account as a valid way to activate an account. Therefore, an account is activated based on the related activation authentication level. You can assign this authentication level to other authentication modules if needed.

Password Forgotten

The password forgotten module is a special module that allows resetting your password by sending a link. After resetting the password, the user is logged in.


This is another special module that allows users to register themselves. Usually, you would want to configure the activation-module after the register-module, but this is not a requirement. If you would like to let in users immediately to your web service, you are free to do so

Web Authentication

This module has no settings. It allows users to register a FIDO-device (such as a Windows Hello device) and use this for login. Web Authentication is the mechanism for web pages to communicate with a FIDO-device.

Let users log in without a password via a magic link, send to their mail address.


If you create your own profile page, you might want to offer users the possibility to link a Facebook account to an existing account.


Log in via Google.


Log in via Twitter.


Log in via LinkedIn.


Log in via GitHub.

Authentication chain

Authentication modules can be configured in a chain. The first module in the chain is always the start-module. After this module you can configure any number of modules. After each module you can configure again as many modules as you would like. This allows you to set up advanced multi-factor authentication scenarios.

Account linking

A single person might want to make use of different authentication methods. He might register himself using a password first, but later wants to connect his Facebook or Google account. This can be done by account linking.