On July 19, 2022, a security consultancy firm released a blog post with claims related to the security of specific features for the Okta service. The areas of concern highlighted by the security consultancy firm are not vulnerabilities specific to the Okta service. Refer to the Okta blog in response to the security report for further details. Product & Security teams at Auth0, an Okta product unit, conducted a thorough review and determined that the risks in the referenced report do not apply to the Auth0 product.
To use SCIM with Auth0, our customers are expected to contact professional services to securely configure and deploy custom SCIM solutions as referenced here.
Additionally, Auth0 enforces HTTPS in all Auth0 controlled data transfer channels.
What to do if you are an Auth0 customer
At this point, no action is needed for Auth0 customers. We advise the following best practice recommendations, which you should consider in the context of your specific configuration.
- Always use HTTPS to ensure the secure transmission of data.
- Enable MFA for all user accounts. MFA should be enforced for all dashboard users that have privileged tenant access. Auth0 encourages all users, not just admins, to require MFA on their accounts.
- Utilize Auth0’s Dashboard Role-Based Access Control to provide finer grain access controls to dashboard users.
- Perform periodic access reviews of dashboard role assignments and ensure access is limited to authorized personnel.
- Monitor and periodically review the actions performed by dashboard users recorded in the tenant logs.
If you are an Auth0 customer who is looking for security best practices, you may find additional information in these links: