Auth0 Security & Privacy
We've built state-of-the-art security into our product, to protect your business and your users.
Trust, Front and Center
Encryption, Password Hashing
Auth0 helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored Auth0's SSL implementation as "A+" on their SSL Server test.
With Auth0 you can enforce five levels of password complexity, as well as custom rules implementing OWASP recommendations and more.
Attack Prevention, Mitigation
Auth0 services are architected with high-availability and resilience in mind. Auth0 applications have built-in rate limiting and automated blocking features to mitigate advanced denial of service or authentication attacks. Our network infrastructure is protected against volumetric attacks by our cloud providers, in addition to a dedicated DDoS mitigation service.
Auth0 takes advantage of the industry's most sophisticated, battle-tested infrastructure. We run on hardened Linux hosts with automatic security patching, carefully-configured security groups, segmented VPCs, and role-based access controls, combined with many other advanced protections built into the cloud infrastructure.
Auth0 safeguards your users with default email verification at account creation time and during password resets.
From the start, Auth0 has been built on tested, verified identity standards, including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. Auth0 participates in standards organizations like the OpenID Foundation. We make it easy to leverage these powerful standards to shield your own applications and APIs.
As a company, Auth0 complies with the General Data Protection Regulation (GDPR). We take customer data privacy seriously, ensuring that:
- Personal data is properly collected, stored, and documented.
- Any usage of personal data is communicated with the proper consent.
- All new vendors, assets and activities pertaining to processing personal data are subject to a review of privacy, security and compliance.
- Relevant processes are followed for transfers of personal data outside the European Union.
Compliance and Certifications
Practice What We Preach
It isn't enough to integrate security features into the product itself. Auth0 runs its business using the most up-to-date and effective security procedures, including:
- Thoroughly documented policies and procedures - complying with SOC2 certification requirements.
- Regular, in-depth security training for all employees.
- Background checks and confidentiality agreements for all employees who access Auth0 systems or who might come into contact with customer data.
- SSO to all systems using a single Auth0 verified identity, with mandatory MFA for this identity. Auth0 does everything it can to avoid systems that authenticate using only passwords without MFA.
- Mandatory full-disk encryption for all employee laptops and development systems.
- Formal change control and configuration management following the most stringent and up-to-date secure operational practices - version controlled, traceable, and audited.
- Independent penetration testing and code audits several times per year, bringing real-world expertise and insight to bear in validating the security of Auth0's implementations and procedures.
- A well-regarded white hat security reporting program with rewards and recognition for reported vulnerabilities. Contact Auth0's security team directly at firstname.lastname@example.org.
- Comprehensive logging, auditing, and intrusion detection for both product and infrastructure events, machine learning analytics for anomaly detection, and automated tools running around the clock and around the world - all backed by the sharp eyes of our security and DevOps teams.
- Watching private security mailing lists and alerting systems for threat intelligence - quickly responding to and mitigating potential security issues for our infrastructure and customers, and actively participating in the security research community.
- An incident response plan to handle those worst-case scenarios - intrusions and security breaches, DDoS attacks, or any other issue. Auth0 can call upon advanced forensics specialists to help put a lid on the damage and safeguard our customers, should something slip through Auth0's defenses.
A Team of Specialists
Why are we so dedicated to leaving no stone unturned in protecting our customers? It's in our DNA. Auth0 was founded and built by some of the foremost security and identity experts in the world - Matias Woloski, Eugenio Pace, and Jared Hanson. Matias and Eugenio have implemented federated identity projects for Fortune 500 companies, and are published authors. Jared is the author of the most popular authentication framework for Node.js: passport.js.
Auth0's CISO, Joan Delilah Pepin, brings 20 years of experience to her role as CISO for Auth0. Her career has spanned a wide variety of industries such as healthcare, manufacturing, defense, ISPs, MSSPs and SaaS/PaaS. Her experience includes technical, operational, and management aspects of security, allowing her to bring highly technical security research expertise to her current interests in security policy management, strategy and thought leadership. She is an expert and thought leader in Cloud Security and Compliance in large-scale and DevOps/CI environments.