Determining if a User Has Set a Password in FusionAuth

wesley

How can we determine whether a user has set a password?

The passwordLastUpdateInstant field contains a timestamp, but in cases where a user signed in using a Google Identity Provider (IdP), this does not indicate whether they ever set a password.

Our goal is to allow users who originally authenticated via Google IdP to add a password to their account if they don’t already have one.

wesley

There is no direct way to determine from the user object whether a password has been set.

1. Tracking Login Method (But Not Password Status)

• You can determine how a user logged in by using the authentication_type field in the user.login.success webhook event.
• This will tell you if they authenticated via Google, Password, or another IdP, but it does not indicate whether a password exists.
• Webhook Reference: User Login Success Event

2. Allowing Users to Set or Update a Password

If you want IdP users to be able to set a password, you can enable the User Self-Service Form in FusionAuth.

How to Enable Self-Service Password Management:

1. Navigate to: Application > Registration > Form Settings > User Self Service
2. The default self-service form includes a password field, but you can customize it or create a new form under Customizations > Forms.
3. Once enabled, users can access their account management page to update their password.
4. The Account URL can be found by "Viewing" the FusionAuth Application in the UI.

FusionAuth Account Management

Summary

• FusionAuth does not provide a direct flag to check if a user has a password.
• You can track login methods via webhooks but not password existence.
• The best approach is to enable self-service password management, allowing users to set a password themselves.