disable or delete any user who has not logged in for xx days

paul.mugford · July 1, 2025, 4:03pm

Feature: Add the dynamic ability to disable account after xx days of inactivity.

Description: PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days

Use-case: We have created a complex post login action but

Runs only after a user signs in.
Doesn’t touch accounts that stay silent for 90 days or more
Does not really comply with PCI DSS 8.2.6 as it is not dynamically checking accounts.

The Auth0 community suggestion is :-

Build an external job that polls Auth0 and blocks stale accounts.
Adds another moving part an external dependancy that will grow with every new user.

dawid.matuszczyk · July 22, 2025, 5:24pm

Hi there!

Welcome to the Auth0 Community!

Thank you for taking the time to create this feedback card. Please make sure to upvote it so that it gets as many votes as possible and attracts as many community members as possible.

Thanks
Dawid

Topic		Replies	Views
Deactivation/Block Users after 90 Days of Inactivity - How do you meet PCI DSS 8.2.6 in Auth0? Get Help user-profile , user-management	2	37	June 30, 2025
Deactivate (or block) users after X number of days Get Help	4	5527	February 27, 2020
Deleted users are able to reactivated their accounts by logging in (social users) Get Help login-experience , new-universal-login-experience	5	1228	October 16, 2023
Deactivation or Block Users after X Number of Days of Inactivity Knowledge Articles inactivity , blocked-user	1	509	April 26, 2024
Destroy session after user delete Get Help delete-user , sessions	5	6494	March 12, 2021

disable or delete any user who has not logged in for xx days

Related topics