User experience with breached credentials protection
Early Access release. See Enable self-service features. Not authorized for Okta for Government Moderate.
Breached credentials protection changes the sign-in experience for users based on the security responses you choose in your password policy.
Log the user out immediately
Okta expires the user's credentials and ends their Okta session. The user is returned to the Sign-In Widget, where they may be prompted to change their password before signing in again (as configured in your Password Security settings).
Expire the password after this many days
If you want to give users time to change their passwords, indicate the number of days that they can sign in with breached credentials (after being logged out immediately).
During this period, users may be prompted to change their password every time they sign in but they can dismiss the prompt. After the period ends, they can no longer dismiss the prompt and must change their password before they sign in again.
Take custom action using workflows
If you set up the Okta Workflows Template: Send notifications for a breached password event workflow, Okta notifies users by email when their credentials are breached. This reduces confusion for users if their Okta session ends abruptly and they're required to change their password before they sign in again.
Other delegated workflows may customize the breached credentials response. Refer to the Workflows that you've set up to understand the user experience.
Related topics
Breached credentials detection
Okta Workflows Template: Send notifications for a breached password event