> For the complete documentation index, see [llms.txt](https://ztrust.gitbook.io/ztrust-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ztrust.gitbook.io/ztrust-documentation/user-manual-ztrust-v4.1/4.-admin-manual/4.17-password-invalidator-authentication.md).

# 4.17 Password Invalidator Authentication

**Introduction**

The **Password Invalidator** is a feature in ZTrust that helps keep user accounts secure. It automatically **forces users to change their login passwords** after a **predefined time period**.\
This ensures that **weak, old, or compromised passwords** are regularly updated, keeping your organization's data safe.

**Why Use Password Invalidator? (Use Cases)**

1. Admin defines a **password validity period** (e.g., 30 days, 45 days, 60 days).&#x20;
2. When the period ends, the **Password Invalidator** forces the user to **reset their password** on the next login.&#x20;
3. Set up warning emails to notify users before their password expires, so they can be aware and update their password on time.

* **Enhanced Security**
  * The system makes you **change your password regularly** so that old or weak passwords don’t put your account at risk.
* **Compliance with Company Policies**
  * Some organizations **require** you to change your password after a certain time.
  * This feature **automatically enforces** those rules.
* **Reduce Unauthorized Access Risks**
  * If someone manages to steal your password, they can’t use it for long because it will **expire** after the set time.
* **Warning Notifications**
  * You’ll receive **notifications** before your password expires, so you have time to **update it without being locked out**.

**Step 1 – Login to ZTrust Admin Console**

* Open your **ZTrust Admin Console** in your browser.
* Sign in with your **admin credentials**.

<figure><img src="/files/dbzseVUm64AlfsDWIXF0" alt=""><figcaption><p>Fig. 4.16.a: Welcome page of customer_demo realm</p></figcaption></figure>

**Step 2 – Enable Password Invalidator in Events**

* Navigate to **Realm Settings** → **Events**.
* In the **Event Listener** dropdown, **select** `password-invalidation`.

<figure><img src="/files/UPspAxV8Ttmd69aXtWKh" alt=""><figcaption><p>Fig. 4.16.b: Navigating to Realm Settings ⇒ Events and adding 'password_invalidation' to event listeners</p></figcaption></figure>

**Step 3 – Configure the Scheduler & Notifications**

* Go to **Realm Settings** → **Authentication**.
* Go to **Policies Tab → Password Policy**

<figure><img src="/files/rxqyvppxmsaxbw24U45x" alt=""><figcaption><p>Fig. 4.16.c: Navigating to Authentication ⇒ Policies ⇒ Password Policy</p></figcaption></figure>

* In **Password Invalidator** execution: Click on Add policy and define the required policy
* Set the **password expiry duration** (e.g., 30 days, 45 days).
* Set the **Minimum length**, **Maximum length**, **Special characters**, **Digit**, **Uppercase** and **Lowercase** and the policy to secured their password.

**Step 4 – Create a Custom Authentication Flow**

* Go to **Realm Settings** → **Authentication**.
* Click on the **Flows** tab.

<figure><img src="/files/hlzINLfB03X3HLlFEZC3" alt=""><figcaption><p>Fig. 4.16.d: Navigating to Authentication ⇒ Flows and duplicate browser form</p></figcaption></figure>

* Create a **duplicate** in **browser flow** → Name "**password invalidator notification**" an click on Duplicate

<figure><img src="/files/N0mdciYCv6WWlkjsLt5h" alt=""><figcaption><p>Fig. 4.16.e: Duplicating the browser flow for Password Invalidation notification</p></figcaption></figure>

* Click on Add execution and find **Password Invalidator** from the execution

<figure><img src="/files/HXqtQS42OAo7l3Y0Cv6F" alt=""><figcaption><p>Fig. 4.16.f: Add 'Advanced Password Invalidator' execution</p></figcaption></figure>

* Add the **Password Invalidator** execution step.
* Mark it as **Required**.

<figure><img src="/files/ygUsnxsQPhvOGAqLyAzn" alt=""><figcaption><p>Fig. 4.16.g: Change the 'Requirement' for 'password invalidator notifications forms'</p></figcaption></figure>

**Step 5 – Configure the Scheduler & Notifications**

Here admin need to set up the following fields:

* **Alias** → A unique name for this configuration.
* **Authenticator Reference** → Optional reference name if needed.
* **Authenticator Reference Max Age** → Maximum validity period for the authenticator.
* **Configure Scheduler** → Turn ON/OFF to start and stop the Password Invalidator Notification.
* **Notification Before Password Expiry** → Select the days before password expiry to send a notification.
* **Duration to send notification** → Select the Time format for sending Notifications.

Once the policy is configured, click on **Save**. The system will then start checking password expiry for all existing users.

<figure><img src="/files/jtV8g4gsXJ8sTkzbWDnr" alt=""><figcaption><p>Fig. 4.16.h: Configuration for Password Invalidation Notification</p></figcaption></figure>

**Step 6 - Bind the flow to work in Browser flow**

* After setting up the password invalidator flow, bind it to the Browser flow.
* This ensures that the system will check password expiry whenever users log in through the browser.

<figure><img src="/files/MOKPF8RjcjUU0IhYyWCG" alt=""><figcaption><p>Fig. 4.16.i: Proceeding to bind the password invalidator notification flow</p></figcaption></figure>

**Example Scenarios:**&#x20;

* Scenario 1: Corporate Security Policy
  * **Requirement:** Change passwords every **60 days**.
  * **Solution:** Configure Password Invalidator for **60 days** and enable **7-day warnings**.
* Scenario 2: High-Security Applications
  * **Requirement:** Enforce strict password rules.
  * **Solution:**
    * Set expiry to **30 days**.
    * Require **12-character passwords**.
    * Enforce **password history** to avoid reuse.
* Scenario 3: User Experience Optimization
  * **Requirement:** Notify users early to reduce login issues.
  * **Solution:** Enable **email reminders** **10 days before expiry**.

    <br>
