README
Security
Modern authentication security battles threats ranging from phishing, credential stuffing, brute-force attacks, ransomware, DDoS, to AI-driven attacks. Protecting user identities is critical to safeguarding brand trust and compliance.
Logto delivers robust secure access management designed to counter these risks head-on. By prioritizing proactive threat prevention and resilience, we ensure your systems stay shielded without compromising usability. With Logto, security isn’t an afterthought—it’s the foundation, empowering businesses to thrive in an era where threats evolve, but defenses evolve faster.
Set up advanced security protection
Enhance password requirements to defend against credential stuffing and weak password attacks.
Add CAPTCHA (e.g., Google reCAPTCHA, Cloudflare Turnstile) to your sign-in experience to prevent automated bot attacks.
Temporarily lock an identifier after multiple failed authentication attempts to prevent brute force access.
Hide account status to block account enumeration attack and avoid disclosing sensitive account status info.
Take control of your user base by blocking disposable or unwanted email domains or addresses.
Discover more ways to protect your apps
Adds an extra layer of protection to the sign-in process with support for authenticator app OTPs, passkeys (WebAuthn), and backup codes.
Allow the app to prompt step-up authentication when users access sensitive information or perform high-risk actions.
Temporarily disable user accounts to block access without deleting data or user records.
Periodically rotate signing keys to protect against key leakage and token forgery.
Enable centralized logout to reduce the risk of session hijacking and unauthorized access.
Restrict sign-ups to invited users only, using email magic links for secure onboarding.