Force Password Reset for old passwords

Feature: When using a Database Connection, after a configurable amount of time has passed, a user will be required to change their password the next time they log in.

Description: Time-based password expiration is a very common pattern in my experience. I am surprised that Auth0 does not offer this as a feature out of the box.

It is possible to implement this using extensibility features, but I have two qualms with that.

First, the manner in which I am supposed to implement the feature keeps changing. Originally, the recommendation was to use a Rule to redirect users to the Reset Password page: see this old forum post. Now Rules have been supplanted by Actions, and the link to the example rule has deleted. The redirection technique also only works for Classic Universal Login. The recommendation for New Universal Login will require a full rewrite.

Second, the new recommended way is just too onerous. It seems that the new pattern requires me to completely reimplement a Password Reset page within my own application, while still using the native Auth0 Password Reset page for other scenarios. We would need to keep branding across the two pages in sync, figure out how to handle multi-app scenarios, and so on. It feels like complete overkill for such a small requirement.

Use-case: My company provides B2B SaaS products in the healthcare industry. We use Auth0 Enterprise to handle IAM for our applications. Compliance and security controls require us to reset passwords on a rolling basis (as I imagine is true for many industries). It would simplify our compliance certification process and take load off of our dev team if we could manage this alongside the rest of our password policy. (It would also allow us to fully switch to New Universal Login, which is blocked for now due to the issues mentioned above)

Hey there!

Thank you for creating this feedback card. Hope it’s gonna attract as many other community members as possible!