Security Questions About Password Management

Problem statement

Security questions about application access and password management for a security compliance review:

  1. Do passwords expire or become invalid after a certain time period, both for admins and end-users?
  2. Is an admin or end-user locked out after their password has been incorrect a certain number of times? If so, how many times?
  3. Does the Auth0 web application lock the admin or end-user out if they have been inactive after a certain time period?

Solution

  1. Do passwords expire or become invalid after a certain time period both for admins and end-users?

For Admins of an Auth0 tenant, their passwords do not expire, and this is non-configurable. Regular end-users, by default, do not have a password expiry policy either however, it is possible to configure this functionality.

  1. Is an admin or end-user locked out after their password has been incorrect a certain number of times? If so, how many times?

For an Auth0 admin, after ten incorrect login attempts, the account will be locked. For an end-user, this can be customized with Auth0’s Brute Force Protection features.

  1. Does the Auth0 dashboard or Auth0-protected application lock the admin or end-user out if they have been inactive after a certain time period?

Neither dashboard admins or end-users are locked out of an application after a period of inactivity. If an authenticated session expires due to inactivity, the user will be prompted to login again.