Protect Auth0 identities from insider threats, credential stuffing, & more

Auth0, part of Okta, provides a platform for authentication and authorization. Auth0 can act as its own cloud-based user directory that SaaS developers can use to store and manage user profiles, authentication information, and multi-factor configuration. With Auth0 as an identity store, developers can avoid the complexity of building and maintaining a user management system and rely on Auth0 to securely store and manage customer information.

As with many PaaS providers, they provide APIs describing user information, platform configuration, and much more. This post will look at how Steampipe can help you improve your product’s security when using Auth0.

Product Security concerns with Auth0

When leveraging Auth0 as a part of the login and access control components of your product, there are several things you need to consider:

1. Login Security - implementing appropriate password policies for length, complexity, and rotation, along with support for a second authentication factor.
2. Role-based access control - Implement RBAC to restrict access to sensitive resources based on the user's role and permissions.
3. Logging and monitoring - Implement mechanisms to track and respond to security incidents and identify potential security threats.

One critical aspect of building any web application is managing the users with privileged access inside the site. In July 2020, several high-profile Twitter accounts, including those of politicians, celebrities, and companies, were compromised and used to promote a cryptocurrency scam. The hackers accessed the Twitter accounts by compromising Twitter’s internal administrative tools.

Another critical product security concern with any authentication system is credential stuffing and spraying. Credential stuffing means that an attacker uses a list of stolen username and password combinations from an unrelated data breach against a target site. The attacker usually automates the process of submitting the username and password combinations. This can be done on a large scale, with the attacker quickly trying thousands or millions of username and password combinations.

If the attacker successfully finds a valid username and password combination, they can gain unauthorized access or sell the credentials on Dark Web marketplaces.

Credential stuffing attacks are made possible by users who use the same password across multiple sites. To protect against credential stuffing attacks, organizations should monitor their systems for suspicious login activity and rate-limit login attempts to prevent large-scale automated attacks. Organizations should also regularly monitor for data breaches that could lead to the theft of login credentials.

Leverage Steampipe to improve your Auth0 product security

Steampipe with the Auth0 Plugin can help monitor your Auth0 security in many ways.

Who are my privileged Auth0 users, and do they have multi-factor authentication?

As we saw in the Twitter hack in 2020, compromising the account of a privileged insider is often an attacker’s objective. It’s critical to know who your privileged users are and to audit that list regularly. This query returns a list of all the users with the role admin in your application:

select
  email,
  id,
  updated_at
from
  auth0_user,
  jsonb_array_elements(roles) r
where
  r->> 'name' = 'admin'

We can take that one step further and query the users with the admin role who do not have a second factor of authentication enabled:

select
  name,
  updated_at,
  last_login
from
  auth0_user,
  jsonb_array_elements(roles) r
where
  r->> 'name' = 'admin' and
  multifactor is null;

+------------------+---------------------------+---------------------------+
| name             | updated_at                | last_login                |
+------------------+---------------------------+---------------------------+
| Jared Dunn       | 2023-01-30T18:30:16-05:00 | 2023-01-30T18:28:41-05:00 |
| Bertram Gilfoyle | 2023-01-25T17:10:42-05:00 | 2023-01-25T17:10:42-05:00 |
| Monica Hall      | 2023-01-10T16:31:22-05:00 | 2023-01-10T16:31:22-05:00 |
+------------------+---------------------------+---------------------------+

Notifying these users that they must enable MFA should be a top priority for your organization. You should ensure that the privileged users in your application or product are limited to people with legitimate business needs. If there are many admin users, that probably means you should re-think your product's role-based-access-control (RBAC) strategy.

Which Auth0 users are currently blocked or otherwise unable to log in?

Blocked users can turn into expensive support calls that make for an unpleasant customer experience. Steampipe provides a clean way to list the users that have been blocked from logging in by Auth0’s fraud detection mechanisms.

select
  email
from
  auth0_user
where
  blocked is True
+----------------------+
| email                |
+----------------------+
| erci@fooli.media     |
| gavin@fooli.media    |
+----------------------+

Auth0 is a platform that only a few key staff should access. Use Steampipe Cloud’s scheduled snapshots to provide your customer support team with an up-to-date list of blocked users without giving customer support access to the Auth0 platform.

Where are Auth0 users allowed to log in from?

While often easy to circumvent, there may be good business reasons to restrict access from specific locations. There may be content rights limitations, or you may lack regulatory compliance to operate in a jurisdiction, or you may simply need to adhere to ITAR regulations. This query allows you to see the locations users are allowed to login from:

select
  l as enabled_locales
from
  auth0_tenant_settings t,
  jsonb_array_elements(t.enabled_locales) l;

For how long has the current Auth0 signing key been available?

Credential rotation is a typical compliance requirement. This query will tell you how long your signing key has been active and when you will need to schedule its rotation:

select
  current_date - current_since as current_for
from
  auth0_signing_key
where
  current;
+------------------+
| current_for      |
+------------------+
| 14 days 05:19:37 |
+------------------+

Since Auth0 signing keys have expiration dates, knowing when they will expire is crucial to ensuring your customers can log in to your product.

If you want to see how long sessions are valid, you could run this query:

select
  session_lifetime,
  idle_session_lifetime
from
  auth0_tenant_settings;
+--------------------+-----------------------+
| session_lifetime   | idle_session_lifetime |
+--------------------+-----------------------+
| 166.66666666666666 | 71.66666666666667     |
+--------------------+-----------------------+

(As an aside, the web console displays the timeouts in minutes, but the API returns hours). You should define session durations based on the risk of the application and the target audience of the application. A highly sensitive application with technical users should enforce shorter session expirations than a low-risk application used by non-technical users.

Understand the risk to your Auth0 users with Have I Been Pwned

You can also use Steampipe to check if your users have been involved in a data breach. Steampipe has a plugin for Troy Hunt’s Have I Been Pwned, is a website that enables individuals to check if their personal data has been compromised in a breach. The website collects data breaches from various sources and enables users to search their email addresses to see if a breach has impacted them.

A word of caution - make sure that your security, legal, and communications teams are aligned before running this query. Notifying users they are part of a data breach unrelated to your company or product requires careful consideration and clear communication. Even knowing that some users are part of a data breach could violate your company’s privacy standards or legal regulations in your country.

To join the Auth0 users table with the Have I Been Pwned data, run this query:

with my_users as (
  select email from
    auth0_user
    where email is not Null
)
select
  my_users.email,
  title,
  breach_date
from
  hibp_breached_account, my_users
where
 account = my_users.email;
+------------------------+---------------------------+---------------------------+
| email                  | title                     | breach_date               |
+------------------------+---------------------------+---------------------------+
| eric@fooli.media       | Dropbox                   | 2012-06-30T20:00:00-04:00 |
| gavin@fooli.media      | LinkedIn                  | 2012-05-04T20:00:00-04:00 |
| eric@fooli.media       | DriveSure                 | 2020-12-18T19:00:00-05:00 |
| richard@fooli.media    | Bitly                     | 2014-05-07T20:00:00-04:00 |
| richard@fooli.media    | Gravatar                  | 2020-10-02T20:00:00-04:00 |
| eric@fooli.media       | Zynga                     | 2019-08-31T20:00:00-04:00 |
| jared@fooli.media      | Evite                     | 2013-08-10T20:00:00-04:00 |
| jared@fooli.media      | You've Been Scraped       | 2018-10-04T20:00:00-04:00 |
| dinesh@fooli.media     | LinkedIn Scraped Data     | 2021-04-07T20:00:00-04:00 |
| dinesh@fooli.media     | Apollo                    | 2018-07-22T20:00:00-04:00 |
+------------------------+---------------------------+---------------------------+

Since HaveIBeenPwnd doesn’t allow you to know if your site uses the password in their database, there isn’t much you can proactively do with this information other than very carefully warning your users if they appear in the above results.

Conclusion

We've shown how Steampipe can help you improve your product’s security when using Auth0. Still, everyone's situation is unique, and you may find other solutions and ways to improve things. If so, please let us know: we love to learn from our community!