Problem statement
Security questions about application access and password management for a security compliance review:
- Do passwords expire or become invalid after a certain time period, both for admins and end-users?
- Is an admin or end-user locked out after their password has been incorrect a certain number of times? If so, how many times?
- Does the Auth0 web application lock the admin or end-user out if they have been inactive after a certain time period?
Solution
- Do passwords expire or become invalid after a certain time period both for admins and end-users?
For Admins of an Auth0 tenant, their passwords do not expire, and this is non-configurable. Regular end-users, by default, do not have a password expiry policy either however, it is possible to configure this functionality.
- Is an admin or end-user locked out after their password has been incorrect a certain number of times? If so, how many times?
For an Auth0 admin, after ten incorrect login attempts, the account will be locked. For an end-user, this can be customized with Auth0’s Brute Force Protection features.
- Does the Auth0 dashboard or Auth0-protected application lock the admin or end-user out if they have been inactive after a certain time period?
Neither dashboard admins or end-users are locked out of an application after a period of inactivity. If an authenticated session expires due to inactivity, the user will be prompted to login again.