My company is pursuing a new security certification. We have a requirement to develop a procedure whereby passwords are changed in the event of a security incident or suspected system compromise.
I know that we can reset the password of a particular user using the API or Dashboard. But in a situation where we are responding to a potentially compromised system, we may need to change the passwords for many users.
What would be the best way to handle this in Auth0? Is there any option besides just walking through every user one by one? Could we reset passwords for all users in a particular group somehow, like all users in one Organization or in one Database Connection?
1 Like
a bulk password_reset endpoint is important for these cases.
Our team is answering our frequently asked questions.
Currently, there is no official Auth0 solution for this issue. We recommend voting for this feature request in the community for a quick solution to a compromised system:
Bulk Deleting Users - Feature Request.
As a possible workaround, you can create a Post-Login Action to check the last_password_reset claim for Databases during a user login. If the user hasn’t updated their password since the incident, you can prompt them to reset their password and redirect them to the logout endpoint and an error page.
Please note that this is just an idea of an implementation, and you’ll need to customize the logic to suit your specific needs. One important consideration is avoiding rate limits, which can impact your solution. You can find more details about rate limits here: Auth0 Rate Limit Policy.
Hope this helps