Breached credentials protection
This feature helps you detect breached credentials in your Okta environment and customize their remediation.
Okta monitors third-party lists of public data breaches for username-password combinations in your org. When a user signs in, Okta checks if their credentials appear in a list. If so, Okta expires the password according to the password policy configuration and ends all of their related Okta sessions. Okta records the security.breached_credential.detected event in the System Log, and the user is required to reset their password the next time they attempt to sign in.
This feature is only available in password policies used for Okta and Active Directory authentication providers. It isn't available in password policies used for LDAP authentication providers.
How it works
Breached credentials protection is a security setting in your password policy.
The password authenticator is active by default for Okta users, and its policy controls password requirements like complexity, age, minimum length, and lock out settings. The breached credentials protection feature adds Password Security options to this policy, so that you can expire the password early or perform custom actions through Okta Workflows if breached credentials are detected. Okta provides sample credentials that you can use to test your Password Security settings.
After you configure the feature, Okta begins detection and remediation whenever the credentials are used to sign in. Because the check happens during sign-in requests and self-service password resets, this feature doesn't retroactively check for breached credentials.
Enhanced breached credentials protection
Early Access release. See Enable self-service features.
Breached credentials protection relies on publicly available breach data. Enhanced breached credentials protection is an additional service that's available through Identity Threat Protection for Okta Customer Identity. Enhanced breached credentials protection proactively screens for breaches to allow faster notification of compromised credentials.
|
|
Breached credentials protection |
Enhanced breached credentials protection |
|---|---|---|
| Plans included | Available to all customers | Part of Identity Threat Protection for Okta Customer Identity |
| Data collection method | Web scanners and scrapers search for user credentials in published security breaches | Dedicated security team infiltrates criminal communities and gains access to breach data that isn't otherwise available |
| Typical detection item | Up to 7-13 months | 12-36 hours |
| Coverage | English only | 200+ countries and territories |
Topics
Configure breached credentials protection