hello ory team! Our ISO 27001 auditor asks us to follow a password policy restricting users from re-using old password. Relying on webhooks does not work as

transient_payload

is only available for register flow (at the moment) and password value is not available in the webhook payload. Also, I stumbled upon https://github.com/ory/kratos/issues/1 which mentions a password history feature but is not mentioned over there https://www.ory.sh/docs/concepts/password-policy#best-practices Can we except this feature at some point ? we are planning to move from our homemade sso to ory ecosystem but we are still wrapping our heads around this point thank you 🙏

We got Ory Kratos ISO Certified without that requirement. There is currently no way of doing this

all right, I just found out the annex A5.17 mentioning this requirement (https://hightable.io/iso-27001-annex-a-5-17-authentication-information/#h-iso-27001-2022-annex-a-5-17-definition)

e) Ideally they prevent re-use of previous passwords

is wrongly translated in french ('ideally" is missing). I will check if anything can be done on this mismatch with my team

I don’t think you should try to work around this. We don’t have this requirement on the roadmap at the moment and we had no plans to introduce it since it does require quite a lot of design to make this secure and scalable. I’d recommend to talk to your auditor. If says it’s REQUIRED (which it is not, which is why we passed ISO) then I’d revisit. We can also help with roadmap and implementation topics in Ory. What type of deployment are you running?

we are planning to run the self hosted version if that is what you are asking

Got it, we do support features like that as part of a support subscription which we anyways recommend if you are running Ory at a significant scale. Might be an option for you 🙂

ok, thank you! We will take a look at that 🙏