We've built state-of-the-art security into our product, so you can take advantage of cutting edge features designed to make protecting your users and business worry-free. But features aren't enough. We go above and beyond best practices in our security program, so you can rely on us to help you keep the bad guys out, and simplify letting the good guys in. Need proof? Check out our list of certifications and compliance capabilities.
Auth0 helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored Auth0's SSL implementation as "A+" on their SSL Server test.
With Auth0 you can enforce five levels of password complexity, as well as custom rules implementing OWASP recommendations and more.
Auth0 services are architected with high-availability and resilience in mind. Auth0 applications have built-in rate limiting and automated blocking features to mitigate advanced denial of service or authentication attacks. Our network infrastructure is protected against volumetric attacks by our cloud providers, in addition to a dedicated DDoS mitigation service.
Auth0 takes advantage of the industry's most sophisticated, battle-tested infrastructure. We run on hardened Linux hosts with automatic security patching, carefully-configured security groups, segmented VPCs, and role-based access controls, combined with many other advanced protections built into the cloud infrastructure.
Auth0 safeguards your users with default email verification at account creation time and during password resets.
From the start, Auth0 has been built on tested, verified identity standards, including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. Auth0 participates in standards organizations like the OpenID Foundation. We make it easy to leverage these powerful standards to shield your own applications and APIs.
It isn't enough to integrate security features into the product itself. Auth0 runs its business using the most up-to-date and effective security procedures, including:
Why are we so dedicated to leaving no stone unturned in protecting our customers? It's in our DNA. Auth0 was founded and built by some of the foremost security and identity experts in the world - Matias Woloski, Eugenio Pace, and Jared Hanson. Matias and Eugenio have implemented federated identity projects for Fortune 500 companies, and are published authors. Jared is the author of the most popular authentication framework for Node.js: passport.js.
Auth0's Director of Security, Eugene Kogan, holds multiple certifications (CISSP, CEH) and has nearly two decades in the field. He previously worked on infrastructure security and analysis for organizations such as AT&T, Amazon.com, and the US Department of Defense. Auth0's engineering team is selected and hired based on demonstrating a deep knowledge of identity and information security principles. No wonder we're so committed to our customers' security!