Problem statement

This article will explain how to force users to change their password after several days have elapsed. For example, they must change their password every 90 days.

Solution

An action that can force password rotation has been introduced.

NOTE: This facility is limited only to users who belong to Auth0 database connections . Users associated with other types of connections ( e.g., Enterprise connections and social providers such as Google ) have individual mechanisms to manage user passwords.

Choosing this option will help to increase the security posture of tenant applications. The Action can be used with the Password History setting available to Auth0 database connections. The intention of this policy is to:

• Force users to change their password at predefined intervals ( e.g., 60 days ).
• Prevent users from re-using passwords that have previously been used.

For more information, refer to Password Options in Auth0 Database Connections.

Add the Auth0 Action

NOTE: It is strongly recommended that Actions be first developed and tested in a Development tenant before being deployed to a Production environment. For more information, refer to Set Up Multiple Environments.

1. Login to the dashboard as a tenant administrator ( Member ).
2. Navigate Actions > Library.
3. Click Create Action: a drop-down list will appear.
   
   

   image2756×1078 153 KB
4. Select the option Use a Marketplace Integration.
5. A window will appear that provides the facility to browse or search for pre-built Actions: in the search box, type “Password Rotation.”
6. Click Password Rotation to access the installation screen.
   
   

   image1576×820 57.1 KB
7. Click Installation.
8. Read and understand the information about the Password Rotation action.
9. Click Add Integration.
   
   

   image1566×938 48.6 KB
10. Click Continue.
11. Configure the Action with the desired expiration period ( in days ) and the error message.
12. Click Create.
    
    

    image1570×866 53.3 KB
13. The Password Rotation action will be installed.
    
    

    image1634×556 23.3 KB

Associate the action with a Flow

Once installed, the action must be associated with a Login flow.

1. Navigate Actions > Flows.
2. Click Login.
   
   

   image2622×746 50.7 KB

Password Rotation ( seen here on the right-hand side of the screen ) is active and associated with the Login flow.

An alternative solution that uses Rules

NOTE: Beginning October 16th, 2023, Rules & Hooks will no longer be available to new tenants. Actions is our offering, which unifies all the extensibility of Rules and Hooks and more. For existing users of Rules & Hooks, these features will no longer be available as of November 18th, 2024.

Using a Rule, it is possible to check when a user’s password was last reset, as described in this Check-Last-Password-Reset code sample. However, this method just blocks the login attempt. A better user experience is to use this approach in combination with logic for checking when the password was last reset, then force a change of password. For more information, refer to the sample code in Force-Password-Change-Example.

Related References

• Actions Templates
• Test an Action