Problem statement
I have a question about the password policy. If you select the policy ‘good’ it must at least contain 3 of the 4 types:
- lower case
- upper case
- numbers
- special characters
Is there a way to change/influence the password policy to: it must contain all 4 types?
Solution
At this time this behavior is by design, Auth0 does not force users to meet all four factors. This has been requested in the past and if you would like to see this functionality in a future release of Auth0, we would encourage you to submit a feature request using this form: Auth0 Feedback
There is an alternative approach that leverages a private Auth0 endpoint which we do not provide SLAs or support for: GitHub - auth0/auth0-custom-password-reset-hosted-page: An example on how to do a custom reset password hosted page.
By using the ‘/lo/reset’ endpoint you could potentially host your custom reset password page and code your own password policy checker to conform with your use case. Again this would be entirely on your side and Auth0 wouldn’t be able to assist in maintaining/troubleshooting this password reset flow if the behavior is not as expected.