Breached Password Detection
Every day, malicious hackers penetrate websites and applications, exposing thousands of emails and passwords. Because it's common for users to use the same password to login to multiple sites, this poses a problem, not only for the hacked system, but for any application that shares those breached passwords.
Auth0 tracks large security breaches that are happening on major third-party sites to help secure your users and system. By enabling breached password detection, when a trigger occurs, your users can be notified and/or blocked from logging in if we suspect their credentials were part of a published security breach.
Breached password detection also works when logging in using the Resource Owner Password Grant (ROPG) and when using custom databases with your tenants.
When a user receives an email requesting that they change their password immediately, it is because their account could be the victim of a security breach. This may be the result of a compromise by a third-party application that experienced a security breach. The breach may not have happened to this account, but based on available data, the user's credentials may have been released. Since many people reuse passwords, the request to change passwords is a precaution to make sure the user stays protected. Users may also want to change their password at any other sites where they suspect they used a shared password.
You can customize blocked account emails.
Configure breached password detection
When enabled, you can customize breached password detection preferences, including enabling blocking compromised user accounts and enabling or disabling email notifications to administrators and affected users.
Go to Auth0 Dashboard > Security > Attack Protection, and select Breached Password Detection.
Enable the switch at the top of the page.
Under Response, enable the Block compromised user accounts switch to automatically block accounts that try to log in using compromised credentials.
Enable the Send notifications to users with compromised credentials switch to send an email to users when Auth0 detects that they are using compromised credentials.
Select Send notifications to account administrators to choose the notification frequency: Immediately, Daily, Weekly, and Monthly.
You can configure the URL Lifetime and Redirect To values in the Dashboard by going to Auth0 Dashboard > Branding > Email Templates, locating Template, and selecting Change Password.
Verify detection configuration
You can verify the users' login experience when the breached password is detected.
Go through your login flow using the email address email@example.com and password Paaf213XXYYZZ.
Check your tenant log to verify that the login was blocked and that an email was sent and failed to be delivered, which is expected behavior. The email to recipient firstname.lastname@example.org cannot be delivered because example.com is not a valid domain name.
Delete the email@example.com user after you verify that the user was blocked.
Restrictions and limitations
The following use cases are not supported:
Using the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user.
Authenticating a large number of users from the same IP address: Users who are behind a proxy are more likely to reach set limits and trigger breached password detection. To avoid erroneously triggering detection, configure an AllowList for the proxy's IP and CIDR range.