Auth0 Ltd.

Auth0 Identity Platform

Auth0 Identity Platform is a cloud-based identity management service that helps organizations leveraging applications by providing a secure cloud-based identity platform to better understand, efficiently manage and intelligently engage their users. Auth0 provides an easy way to implement the most complex identity solutions across any technology stack or platform.

Features

  • Adaptive context-aware security
  • User Analytics & Progressive Profiling
  • API authorization for user, machine authentication and third-party authorization
  • Centralized management dashboard for easy access & better control
  • Delegated Administration for granular and role-based control
  • Extensibility - For customizing, extending existing capabilities of the platform
  • Single Sign On integrations for popular and custom applications
  • Identity Providers integration to different data sources
  • Lock widget - easily embeddable login box for all apps
  • Delegation - Enables organizations to streamline their user identity flow

Benefits

  • Ease of deployment, integration across any technology stack, environment
  • Variety of flexible deployment (public cloud, private cloud) options
  • Speeds development, reduces risk by moving identity complexity to cloud
  • Configuration is as easy as flipping switches
  • Multiplatform Application Support for seamless experience across platforms
  • Improved user efficiency, collaboration, better conversion and revenue
  • Integrates seamlessly with existing investments and workflows
  • On-demand enterprise scalability for unpredictable/predictable user traffic
  • High availability, resiliency for services
  • Adherence to popular identity, security compliance standards and certifications

Pricing

£0.25 to £3.75 per user per month

Service documents

Framework

G-Cloud 11

Service ID

8 5 6 1 4 3 3 7 3 6 0 7 0 1 4

Contact

Auth0 Ltd.

Donna Joyce

07795841818

donna.joyce@auth0.com

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to Auth0 Identity can be integrated into any application (custom-built or third-party) that requires user identity management.
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints None
System requirements
  • Following system requirements are for Private only
  • Minimum 3 virtual machine (AWS,) for HA
  • 8 GB RAM minimum
  • 2 vCPU minimum
  • 250 GB (3 separate disks of 50/100/100)
  • SSL Certificates, Email provider / SMTP server

User support

User support
Email or online ticketing support Email or online ticketing
Support response times https://auth0.com/docs/support#defect-resolution-procedures
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Support levels:
1. Free Plan- No charge, part of Free plan. No dedicated account manager/engineer
2. Standard Support- part of Developer and Developer pro plan. No dedicated account manager/engineer
3. Enterprise Support- part of Enterprise plan. Includes dedicated customer success engineer
4. Premier Support- Add-on to Enterprise plan. Includes dedicated success manager
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started 1. User documentation
2. Onboarding tutorials
3. Blog posts
4. Educational video content - Auth0 University
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction User data can be exported by users if they use Auth0 database for storing their information instead of using their own database

More details: https://auth0.com/docs/tutorials/removing-auth0-exporting-data
End-of-contract process At the end-of-contract the plan automatically gets converted into Free plan with limited features and support.

More details about plans: https://auth0.com/pricing

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Auth0 Identity service is provided in the form of SDKs and APIs allowing uniform usability on mobile, web and native applications.
Service interface No
API Yes
What users can and can't do using the API Auth0 exposes two APIs for developers to consume in their applications:
1. Authentication: Handles identity-related tasks;

2. Management: Handles management of your Auth0 account, including functions related to (but not limited to):
- Clients
- Connections
- Emails
- Users
API documentation Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Identity management administrators can customize Auth0 identity platform to:
1. Manage user identity management into their existing application framework
2. Manage configurations to better control, security, extend the platform to meet specific requirements with extensibility features
3. Manage how user identity data can be sourced from different data sources
4. The user login widget (Auth0 Lock) can be customized to look unified with customer brand, allows various login options (social) to be integrated within the login

Scaling

Scaling
Independence of resources Auth0 provides enterprise-level on-demand scalability for predictable as well as unpredictable user traffic. Auth0’s advanced infrastructure ensures high availability and resiliency for its services (24x7 with 99.95% uptime with SLA) with independent, geographically distributed data centers and full disaster recovery systems located in various continents

Analytics

Analytics
Service usage metrics Yes
Metrics types Management dashboard provides following usage metrics on the home page:
1. User login activity
2. number of users
3. number of logins
4.New signups
5. Latest logins
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach All data in user's Auth0 account is always under their control and is available through the management API at any time. The only information which is not available through the API are the password hashes of your Auth0-hosted database users and private keys, for security reasons.
https://auth0.com/docs/tutorials/removing-auth0-exporting-data

Auth0 also provides pre-configured module (extensions) for importing/exporting users from/to any database: https://auth0.com/docs/extensions/user-import-export
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Auth0’s advanced infrastructure ensures high availability and resiliency for its services (24x7 with 99.95% uptime with SLA) with independent, geographically distributed data centers and full disaster recovery systems located in various continents.
Approach to resilience At a high level, Auth0's availability strategy is rather simple, and yet very effective: we ensure that critical dependencies are redundant, we rapidly detect failures, and our failover is very quick. The Auth0 architecture implements redundant components at all levels such as:
- DNS
- Datacenter
- Application layer
- Storage

Auth0 has taken multiple steps to ensure extra availability. One important aspect is how the application is architected, including how user sessions are managed, how functionality is partitioned, how the availability of modules is prioritized , and how transient conditions are handled.

Auth0 is designed and built as a scalable, highly available, multi-tenant cloud service.

This highly reliable architecture is combined with solid operational processes and a culture of continuous improvement that constantly refines and improves Auth0 operations
Outage reporting Public dashboard - https://status.auth0.com/

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Role-based access with delegated administration allows administrators to restrict access to management interface and support channels
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Schellman
ISO/IEC 27001 accreditation date 27/07/2018
What the ISO/IEC 27001 doesn’t cover The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting the Auth0 identity platform, and accordance with the statement of applicability, version 2.0, dated May 11, 2018, and aligned with ISO/IEC 27018:2014
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 16/11/2018
CSA STAR certification level Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting the Auth0 identity platform, and accordance with the statement of applicability, version 2.0, dated May 11, 2018, and aligned with ISO/IEC 27018:2014
PCI certification Yes
Who accredited the PCI DSS certification Schellman
PCI DSS accreditation date 01/06/2018
What the PCI DSS doesn’t cover Multi-Tenant Public Cloud, as PCI/DSS is for Private Cloud only.
Other security certifications Yes
Any other security certifications
  • SOC 2 Type 2
  • HIPAA BAA
  • EU-US Privacy Shield Framework
  • OpenIDConnect Certified

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards SOC 2 Type II certified
GDPR
ISO 27018
CSA GoldStar
PCI/DSS (Private)
EU-US Privacy Shield Framework Conformance
HIPAA BAA
Information security policies and processes Auth0 has a dedicated information security team, led by a CISO, with two decades of experience at organizations such as AT&T, Amazon.com, and the US Department of Defense. The team includes specialists in application security, infrastructure security, and cloud security - they are the “tip of the spear” whose sole responsibility is 24x7 vigilance and security process improvement to keep Auth0’s subscribers safe.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Auth0 has a process to ensure that all changes to production services and infrastructure are reviewed by at least two engineers. Unit and integration testing helps reduce the risk of vulnerabilities and software defects.
Software is stored and tracked via versioned source control (GitHub). Automated scanning tools look for vulnerabilities in third-party components.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Auth0 has a comprehensive set of security policies, standards, and guidelines to ensure compliance and to guide our employees in making sound security decisions. Examples include:

Password Protection Policy
Encryption Policy
Monitoring Policy
Server Security Policy

Auth0 has a Responsible Disclosure Program that encourages researchers to investigate the company’s services and products. We encourage responsible vulnerability research and testing on the Auth0 services to which they have authorized access.

When a security vulnerability is discovered, the company works with the researcher to solve the issue before publicly announcing it.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Auth0 has a Responsible Disclosure Program that encourages researchers to investigate the company’s services and products. We encourage responsible vulnerability research and testing on the Auth0 services to which they have authorized access.

When a security vulnerability is discovered, the company works with the researcher to solve the issue before publicly announcing it. This practice helps guarantee that the entire community around Auth0 – customers, partners, employees, and so on – are not put at risk before we are able to address all security issues.

Auth0 has a rapid response approach to security incidents ensuring any incident is immediately fixed
Incident management type Supplier-defined controls
Incident management approach Auth0 security team and the customer team collaborate in case of any incidents to immediately fix it and control any damage resulting thereof.

Users can report incidents by contacting Auth0 customer success team.

Auth0 works closely with the customer's security/development team to provide details and guidance about incidents using an incident report containing following details:
1.Incident analysis
2. Recommendations
3. FAQs

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.25 to £3.75 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Auth0 provides 'Free Plan' which includes:
- 7,000 free active users & unlimited logins
- Passwordless & TouchID Login
- Lock for Web, iOS & Android
- Up to 2 social identity providers
- Rules & Webtask.io subscription

Auth0 provides a 22 day trial period for all the features
https://auth0.com/pricing
Link to free trial https://auth0.com/signup

Service documents

Return to top ↑