Auth0

§4.2.1 AAL2: "Authentication at AAL2 requires two distinct authentication factors." §4.3.1 AAL3: "AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol." Auth0 supports AAL1-AAL3 with various authenticator types including WebAuthn and hardware tokens.

Authentication best practices. Auth0 implements secure password policies, MFA, session management, and brute force protection.

Official security configuration guide covering tenant hardening, token security, attack protection, and compliance settings.

SOC 2 CC6.1: "The entity implements logical access security software, infrastructure, and architectures over protected information assets." CC6.2: "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users." CC6.3: "The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles." Auth0 provides identity platform capabilities aligned with SOC 2 access control requirements. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.5.16: "The full lifecycle of identities shall be managed." A.5.17: "Authentication information shall be controlled through a management process." A.8.5: "Secure authentication procedures shall be implemented in accordance with the information access restriction policy and topic-specific policy on access control." Auth0 supports ISO 27001 identity management through universal login, MFA, and extensible authentication flows. Source: ISO/IEC 27001:2022 Annex A.