Claris FileMaker Security Guide: Best Practices for Configuring Security Options

Authenticate users

FileMaker Pro custom apps require users to authenticate with an account name and password combination. Each account access entry you create in FileMaker Pro is given access privileges based on the associated privilege set. See Define privilege sets.

Create a unique account access entry for each user or group. This allows you to track who is creating or modifying individual records or taking other actions in your custom app. Track this information by using auto-enter field settings or by using the Get(AccountName) function in calculations and scripts. See Use functions, scripts, and script triggers to enhance security.

FileMaker custom apps can authenticate accounts internally, with an external authentication server, with an OAuth identity provider, or, in the case of a FileMaker Cloud host, with the Claris ID identity provider or an external IdP.

With internal authentication, the account names and passwords are stored within the custom app. All security for an app is set up in FileMaker Pro without server software. Accounts authenticated with FileMaker files are supported by all hosts except FileMaker Cloud.

If there are five invalid login attempts within five minutes against a FileMaker file account, the account is temporarily locked for five minutes. The lockout affects only FileMaker accounts and has no impact on clients. Users can use a different valid account to sign in to a client. See "Editing FileMaker file accounts" in FileMaker Pro Help.
With external authentication (via Open Directory or Active Directory) or with OAuth identity provider authentication, FileMaker Pro stores only user and group names. FileMaker clients interact with an external server or OAuth identity provider to authenticate a user's account credentials. The custom app must be hosted by FileMaker Server, and the host must be configured to allow external authentication or individual OAuth identity providers. See Set up external authentication and Set up OAuth identity provider authentication.
With Claris ID and external IdP authentication, FileMaker Pro stores a name and a universally unique ID (UUID) for each Claris ID or external IdP user or group you create an account access entry for. Changing user names (email addresses) or group names won't require custom app developers to make changes in FileMaker Pro files, because UUIDs are used internally to identify users and groups.

FileMaker clients interact with the Claris ID identity provider or external IdP to authenticate users' account credentials. The custom app must be hosted by FileMaker Cloud. In Claris Customer Console, a FileMaker Cloud team manager must add users to the team that the host is associated with. A team manager can also create groups of users, so a custom app developer can grant account access to groups in FileMaker Pro without having to update the app as users are added or removed. See Set up Claris ID or external IdP authentication.