This article provides steps to configure the User Enumeration Prevention feature in Okta Identity Engine (OIE). This feature enhances security by preventing attackers from identifying valid user accounts through authentication or account recovery attempts.
- Okta Identity Engine (OIE)
- Multi-Factor Authentication (MFA)
- Security
To enable the User Enumeration Prevention feature:
-
In the Admin Console, navigate to Security > General.
-
In the User Enumeration Prevention section, select Edit.
-
Select the desired options to activate the feature:
-
Authentication: Manages user enumeration prevention during authentication attempts.
-
Recovery: Controls user enumeration prevention during account recovery scenarios.
-
-
Select Save to apply the changes.
NOTE: To deactivate this feature, clear the checkboxes for Authentication and Recovery.
NOTE: User Enumeration Prevention is an org-wide security setting. The examples below demonstrate Authentication, but the same flow applies to Recovery as well.
Authentication flow when User Enumeration Prevention is Enabled for Authentication
When User Enumeration Prevention is enabled during authentication, signing in requires a two-step verification process. First, the user enters just their username. Next, the user must verify their identity by providing either their email address or password. Users will then be presented with additional enrolled authenticators. Both email and password options in the second step will be displayed even if only one factor is required in the authentication policies.
NOTE: If the email option here is not desired, it may be removed by reconfiguring the email authenticator, and changing the Used for option from Authentication and recovery to just Recovery.
Authentication flow when User Enumeration Prevention is Disabled for the Okta tenant
When User Enumeration Prevention is disabled for the Okta tenant, the sign-in process from a new device allows the user to select the authentication method from among their enrolled and policy-compliant factors.
User Enumeration Limitations
User Enumeration Prevention will not work if either of the following features are enabled in the org:
- Self-Service Registration.
- Just In Time (JIT) Provisioning flows using email authenticators.
This is an expected behavior, given the nature of each of the above features.
If Factor Sequencing is enabled for the Org, the flow will remain unchanged for Okta Policies assigned to low-risk authentications. However, for policies designated for high-risk logins, User Enumeration Prevention will prompt for a random factor to prevent potential attackers from discovering user authenticator enrollments.
In order to maintain the desired flow with normal factor sequencing instead of random sequencing, User Enumeration Prevention must be disabled.
Related References
- User Enumeration Prevention
- Okta Factor Sequencing and User Enumeration Prevention for High Risk Logins
- How do I enable or disable Just-in-Time Provisioning?
- Enable and configure a self-service registration policy (Classic Engine)
- Update the profile enrollment default policy (Identity Engine)
