disable or delete any user who has not logged in for xx days

Feature: Add the dynamic ability to disable account after xx days of inactivity.

Description: PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days

Use-case: We have created a complex post login action but

  • Runs only after a user signs in.
  • Doesn’t touch accounts that stay silent for 90 days or more
  • Does not really comply with PCI DSS 8.2.6 as it is not dynamically checking accounts.

The Auth0 community suggestion is :-

  • Build an external job that polls Auth0 and blocks stale accounts.
  • Adds another moving part an external dependancy that will grow with every new user.

Hi there!

Welcome to the Auth0 Community!

Thank you for taking the time to create this feedback card. Please make sure to upvote it so that it gets as many votes as possible and attracts as many community members as possible.

Thanks
Dawid