Auth0 Security & Privacy
We've built state-of-the-art security into our product, so you can take advantage of cutting edge features designed to make protecting your users and business worry-free. But features aren't enough. We go above and beyond best practices in our security program, so you can rely on us to help you keep the bad guys out, and simplify letting the good guys in. Need proof? Check out our list of certifications and compliance capabilities.
Trust, Front and Center
Encryption, Password Hashing
Auth0 helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored Auth0's SSL implementation as "A+" on their SSL Server test.
With Auth0 you can enforce five levels of password complexity, as well as custom rules implementing OWASP recommendations and more.
Attack Prevention, Mitigation
Auth0 services are architected with high-availability and resilience in mind. Auth0 applications have built-in rate limiting and automated blocking features to mitigate advanced denial of service or authentication attacks. Our network infrastructure is protected against volumetric attacks by our cloud providers, in addition to a dedicated DDoS mitigation service.
Auth0 takes advantage of the industry's most sophisticated, battle-tested infrastructure. We run on hardened Linux hosts with automatic security patching, carefully-configured security groups, segmented VPCs, and role-based access controls, combined with many other advanced protections built into the cloud infrastructure.
Auth0 safeguards your users with default email verification at account creation time and during password resets.
From the start, Auth0 has been built on tested, verified identity standards, including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. Auth0 participates in standards organizations like the OpenID Foundation. We make it easy to leverage these powerful standards to shield your own applications and APIs.
Compliance and Certifications
Practice What We Preach
It isn't enough to integrate security features into the product itself. Auth0 runs its business using the most up-to-date and effective security procedures, including:
- Thoroughly documented policies and procedures - complying with SOC2 certification requirements.
- Regular, in-depth security training for all employees.
- Background checks and confidentiality agreements for all employees who access Auth0 systems or who might come into contact with customer data.
- SSO to all systems using a single Auth0 verified identity, with mandatory MFA for this identity. Auth0 does everything it can to avoid systems that authenticate using only passwords without MFA.
- Mandatory full-disk encryption for all employee laptops and development systems.
- Formal change control and configuration management following the most stringent and up-to-date secure operational practices - version controlled, traceable, and audited.
- Independent penetration testing and code audits several times per year, bringing real-world expertise and insight to bear in validating the security of Auth0's implementations and procedures.
- A well-regarded white hat security reporting program with rewards and recognition for reported vulnerabilities. Contact Auth0's security team directly at email@example.com.
- Comprehensive logging, auditing, and intrusion detection for both product and infrastructure events, machine learning analytics for anomaly detection, and automated tools running around the clock and around the world - all backed by the sharp eyes of our security and DevOps teams.
- Watching private security mailing lists and alerting systems for threat intelligence - quickly responding to and mitigating potential security issues for our infrastructure and customers, and actively participating in the security research community.
- An incident response plan to handle those worst-case scenarios - intrusions and security breaches, DDoS attacks, or any other issue. Auth0 can call upon advanced forensics specialists to help put a lid on the damage and safeguard our customers, should something slip through Auth0's defenses.
A Team of Specialists
Why are we so dedicated to leaving no stone unturned in protecting our customers? It's in our DNA. Auth0 was founded and built by some of the foremost security and identity experts in the world - Matias Woloski, Eugenio Pace, and Jared Hanson. Matias and Eugenio have implemented federated identity projects for Fortune 500 companies, and are published authors. Jared is the author of the most popular authentication framework for Node.js: passport.js.
Auth0's Head of Security, Eugene Kogan, holds multiple certifications (CISSP, CEH) and has nearly two decades in the field. He previously worked on infrastructure security and analysis for organizations such as AT&T, Amazon.com, and the US Department of Defense. Auth0's engineering team is selected and hired based on demonstrating a deep knowledge of identity and information security principles. No wonder we're so committed to our customers' security!