disable or delete any user who has not logged in for xx days

Feature: Add the dynamic ability to disable account after xx days of inactivity.

Description: PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days

Use-case: We have created a complex post login action but

  • Runs only after a user signs in.
  • Doesn’t touch accounts that stay silent for 90 days or more
  • Does not really comply with PCI DSS 8.2.6 as it is not dynamically checking accounts.

The Auth0 community suggestion is :-

  • Build an external job that polls Auth0 and blocks stale accounts.
  • Adds another moving part an external dependancy that will grow with every new user.