Breached Password Detection

Breached password detection protects your applications from bad actors signing up or logging in with stolen credentials. Auth0 can both notify users and block at-risk accounts.

Auth0 tracks large security breaches that occur on major third-party sites. If Auth0 identifies that any of your users’ credentials were part of a breach, the breached password detection security feature triggers. In response, Auth0 can:

• Block new users from signing up with stolen credentials. Entirely blocks the username/password combination.

• Block anyone from logging in with stolen credentials. Entirely blocks the account and prevents bad actors from accessing your application. The user can’t log in until they change their password. 

• Send an email to the user when a login attempt happens. The email informs users about the risk and instructs them to change their password immediately. You can customize the message sent to users. To learn more, read Customize Blocked Account Emails.

Breached password detection relies on breach data released to the public. Credential Guard is an additional Auth0 service you can add to breach password detection that screens for breaches to allow faster notification of compromised credentials.

To add Credential Guard to your Auth0 agreement, contact us.

When enabled, you can customize breached password detection preferences, such as the detection method, response scenarios, and notifications.

1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

   

2. To turn on breached password detection, enable the switch at the top-right corner of the page.

   
   Enabling attack protection features without any response settings enabled activates Monitoring mode, which records related events in your tenant log only. To learn more, read View Attack Protection Log Events.

   If you cannot see the toggle to enable this feature, you may need to upgrade your plan.

Based on features available with your plan, you can configure the detection method used to identify compromised credentials.

1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

2. In the Detection section, locate Breached Password Detection Method.

3. If your agreement with Auth0 includes Credential Guard, select As soon as possible based on data received from the dark web, with Credential Guard.

4. Otherwise, leave When breach data is published selected.

5. Select Save to apply changes.

You can configure how Auth0 responds to different scenarios when users may provide compromised credentials.

1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

2. Locate the Response section.

   

3. Enable the Block compromised credentials for new accounts toggle to block users from using compromised credentials during signup.

4. Enable the Block compromised user accounts toggle to block users from using compromised credentials during login.

You can configure how Auth0 notifies users and admins about the use of compromised credentials.

1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

2. Locate the Notifications section.

3. Enable the Send notifications to users with compromised credentials toggle to send an email to a user when Auth0 detects their credentials may have been compromised.

4. Enable the Compromised user accounts toggle to send an email to administrators when a user signs up with compromised credentials.

5. Enable the Compromised user accounts toggle to send an email to administrators when a user logs in with compromised credentials.

6. Choose the notification frequency: Immediately, Daily, Weekly, or Monthly.

   If you choose daily, weekly, or monthly, your notification will include the number of breaches to your application. If you choose immediate, your notification will include the user account attempting to breach your application. Logs are throttled to 1 per hour.

7. Select Save.

You can configure the notification Auth0 sends to your users when compromised credentials are used for login.

1. Navigate to Dashboard > Branding > Email Templates. 

2. In the Template dropdown menu, select Password Breach Alert.

3. Update the template accordingly. You can use any of the available common variables to customize the message.

You can verify your configuration by testing signup and login flows with an Auth0-provided breached password.

Verify a user’s signup experience when Auth0 detects a breached password:

1. Go through your signup flow and try to register a new account with a test breached password (Paaf213XXYYZZ or Paat739!!WWXXYYZZ) or any password starting with AUTH0-TEST-.

2. If Block compromised credentials for new accounts is enabled, you will receive an error message, preventing you from using the breached password.

3. Navigate to Dashboard > Monitoring > Logs.

4. Search the logs for type: "signup_pwd_leak" to verify Auth0 blocked the signup.

Verify a user's login experience when Auth0 detects a breached password:

1. Create a test user in Dashboard > User Management > User, and assign a test breached password (Paaf213XXYYZZ or Paat739!!WWXXYYZZ) or any password starting with AUTH0-TEST-.

2. Go through your login flow and submit the identifier and password that you assigned.

3. If Block compromised user accounts is enabled, the user will receive an error message, preventing them from logging in and advising to reset their password.

4. Navigate to Dashboard > Monitoring > Logs.

5. Search the logs for type: "pwd_leak" to verify Auth0 blocked the login.

6. Navigate to Dashboard > User Management > User to delete the test user.

• Bot Detection
• Brute-Force Protection
• Suspicious IP Throttling
• View Attack Protection Log Events
• Customize Blocked Account Emails