Feature request: Password policy require 4 of 4 requirements

Feature: Allow configuration to enforce 4 of 4 requirements when setting/resetting passwords

Description: Currently all password levels require the user to meet 3 out of 4 requirements (special characters, numbers, lowercase, uppercase) when setting/resetting the password. It would be nice if the lock widget configuration could take an attribute to change this (our requirement would be 4/4).

Use-case: We work with the pharma industry which is heavily regulated and recently more focused on cyber security. They are looking to maximise security wherever possible, including strong password policies, MFA, etc. Currently the password policy setting is the main focus to improve our customers confidence in authentication and password strength.

Hey there Roland!

Thanks for creating this feature request. Let’s see who else from community will be interested in such addition!

For my organization, not having this feature is reason enough to leave Auth0. Our customers are enterprise companies that have strict security standards. As it stands, we cannot comply with their standards.

Thank you @d.michalakos for providing your +1 to this! I’ll make sure to relay it to appropriate team!

This is really important for us at the moment, as a financial institution, not having 4/4 is a problem with many security audits.

This feature is very important to our financial institution. We receive security audits and this feature 3/4 signifies a problem.

Thanks for sharing with us, the feature’s is too important for my crediblebh.

It’s mandatory for secure password and mandatory for financial institutions operations in Colombia

+1 Same use-case here, may we know the status of this? Thanks

Hey there!

Compared to other product feedback in the gathering it still didn’t have enough voices / advocates and there are other features that are more significant to implement. As soon as anything changes I will give you an update!

Hey @konrad.sopala,
would like to have a status\roadmap regarding this feature.
thanks!

I’m doing my best as a community engineer advocating for that. As soon as I have it I will share it here!

Hi @konrad.sopala we just recognized this missing setting and we would need this very urgent! It seems strange to provide Attack Protection features, but not to consider these “standard” 4/4 requirements by choosing a password. Imaging someone would use a weak password with 6 characters e.g 123456, without special characters nor uppercases, … Unfortunately, we already implemented Auth0 as SSO service in more than 13 of our websites. This is actually a huge problem.

Hey there!

In the case you mentioned they won’t be able to login. Our product team is constantly checking our Feedback category so the best we can do to make this feature more likely to be implemented is to upvote it. Thank you!

+1 Same use-case here. It really important in terms of security concern to enable 4/4 conditions.

+1 for 4/4 conditions. Its critical requirement for our financial institution

This needs to be improved - 3/4 requirements at 8 or 10 characters is too weak. As others have already stated, there are situations where this doesn’t meet security standards.

+1 This should be a primary thing in Auth0

Thanks everyone for upvoting it and sharing your feedback. I’ll make sure to relay that to our product team!

+1 really need this to meet our security standards requirements