Auth0 does not have an out-of-the-box method of achieving this use case, however both of the options you have mentioned above can be considered here.
For verifying a user’s current password before an update, the recommended approach is to implement a re-authentication or step-up flow. This ensures that the user is currently present and authorized to perform a sensitive account change. For regular users, this usually involves a simple password re-entry, while admin users should be required to complete a multi-factor authentication (MFA) challenge to mitigate the risk of account takeover.
If you choose to use a step-up re-authentication flow with the prompt=login parameter, you are leveraging the most secure OIDC-native method. This approach is highly secure because your application never handles the user’s current plain-text credentials, as Auth0 manages the entire validation process on its hosted pages. However, the user experience suffers slightly because it requires a full redirect away from your application to the Auth0 Universal Login page and back, which can feel disruptive to a seamless in-app journey.
If you opt for the Resource Owner Password Grant (ROPG) via the /oauth/token endpoint, your backend collects the current password to “test” it against Auth0. This provides a superior user experience because it allows the user to stay entirely within your application’s custom UI without redirects. The significant security drawback is that your application infrastructure temporarily touches the user’s current password, increasing the risk of credential exposure. This is presented as an option in this article as well - Verify Current Password Before Changing to New One.
To ensure the security of both regular and admin users, you should implement a multi-layered defense strategy during the password change process. You must apply strict rate limiting on your password-validation endpoint to prevent malicious actors from using the form to brute-force current passwords, which protects your users from credential stuffing. It is also essential to trigger an automated email notification to the user immediately after any successful change, as this serves as a critical alert in case of an unauthorized account takeover. For admins specifically, a password check alone could be insufficient, so you should also enforce an MFA challenge, since a password alone is not a sufficient safeguard for accounts with elevated access to your system’s infrastructure.
I hope this helps and if you have further questions please let me know!
Kind regards,
Remus