Configure breached credentials protection
Early Access release. See Enable self-service features. Not authorized for Okta for Government Moderate.
Breached credentials protection is a security setting in your password policy. Use it to configure how Okta responds when user credentials in your org have been compromised. By default, Okta expires the credentials, ends their Okta sessions, and requires the user to reset their password the next time they sign in.
Before you begin
The default breached credentials protection settings apply to all of your password policies, so you need to update each policy that you want to change.
This feature isn't available in password policies used for LDAP authentication providers.
For AD-sourced users to reset their password after entering a breached password, you need to enable self-service password reset in your org.
Configure password policy settings
-
In the Admin Console, go to .
- On the Setup tab, click for the Password item.
- Select the password policy that you want to edit.
- In the Password Security section, select your responses.
- Expire the password after this many days: Users can sign in with their breached credentials for up to 10 days. The default is 0, meaning that the password expires immediately.
- Log out user from Okta immediately: Users are immediately logged out from all of their Okta sessions. When used with the default expiration setting of 0, the user must set a new password before signing in again.
- Take custom actions using Workflows: Use the Okta Workflows Template: Send notifications for a breached password event workflow to notify users when their credentials are breached. Or, customize your response with a delegated workflow.
- Click Update Policy.