/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Passwords

/

Overview

Passwords Overview

Stytch's password product allows you to offer a familiar authentication option to your end users, with built-in protection against common password pitfalls like credential stuffing attacks and insecure account deduplication.

Cross-Organization vs Organization-Scoped Passwords

Stytch offers two different approaches to passwords within our B2B product, depending on how passwords are treated across Organizations:

  1. Cross-Organization: an email has a single password associated with it, and the end user can use that password to log into any of their Organizations that allow passwords as an authentication method
  2. Organization-Scoped: a password is scoped to a specific MemberID, and can only be used to log into that specific Organization

If you have a single, centralized login page for all Organizations we recommend you use Cross-Organization passwords by enabling Allow passwords to be used between Organizations in the Passwords configuration page of the Dashboard. If you have tenanted login pages for each Organization, and want to enforce strict data isolation between your Organizations we recommed you use Organization-Scoped passwords and disable this setting.

This is a project-level setting, and cannot be changed if you have active passwords. Make sure you have selected the password type you want in the Dashboard prior to integrating.

Default Password Policy

By default, Stytch uses zxcvbn for our password strength assessment, which is designed with modern password cracking techniques in mind and rewards easy-to-type but difficult to crack passwords like EntropyIsInformation over annoying and ineffective LUDS (lower, upper, digit, symbol) requirements that still allow users to set easily crackable passwords like P@ssword123. You can play around with zxcvbn here.

Stytch integrates with HaveIBeenPwned to detect breached passwords, and by default verifies the user's password has not been breached on both initial password creation and on subsequent authentication. If HaveIBeenPwned indicates that a user's current password has been breached, Stytch will force the end user to reset their password in order to prevent a credential stuffing attack.

However, Stytch also offers the ability to customize your password strength assessment and password breach detection policies to fit whatever makes the most sense for your application. You can read more about the full list of configurations in the Strength Policies guide.

Cross-Organization vs Organization-Scoped Passwords

Default Password Policy