Feature: Add the dynamic ability to disable account after xx days of inactivity.
Description: PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days
Use-case: We have created a complex post login action but
- Runs only after a user signs in.
- Doesn’t touch accounts that stay silent for 90 days or more
- Does not really comply with PCI DSS 8.2.6 as it is not dynamically checking accounts.
The Auth0 community suggestion is :-
- Build an external job that polls Auth0 and blocks stale accounts.
- Adds another moving part an external dependancy that will grow with every new user.