Okta is excited to announce a significant enhancement to Okta’s Breached Credentials Protection, designed to provide more control and a stronger defense against account takeover attacks.
This update introduces two new features that will be released on a phased rollout. The Breached Credentials Protection is being updated to be more robust and flexible. Previously, this feature automatically logged users out and expired their passwords when a breach was detected. Now, there will be new password policy controls to customize the remediation actions and an expanded third-party breached credentials feed for a broader range of protection.
New Password Policy Controls
New password policy controls provide the power to configure exactly how the organization responds to a breach detection. Choose from these new customizable remediation actions directly within the password policies:
-
Expire password after X days: Automatically force a password reset for the impacted user within a configurable timeframe (0-10 days).
-
Log out immediately: Force an immediate universal logout for the impacted user's active sessions.
-
Custom action: Invoke a delegated workflow for custom, automated remediation steps tailored to the specific organizational needs.
This protection is enabled by default for all Okta organizations using Okta-mastered or AD-mastered password policies, aligning with the "secure by default" philosophy.
Expanded Breached Credentials Feed
The compromised credentials feed is being significantly enhanced. This new, expanded third-party feed allows for identifying a wider range of compromised username and password combinations, providing a more comprehensive layer of security.
- Okta's Beached Credentials Protection
- Okta Identity Engine (OIE)
These changes are being made to significantly improve our customer's security posture and better protect against the critical risk of account takeover. By offering an expanded feed and customizable remediation, Okta provides proactive, automated protection that reduces manual effort and improves incident response capabilities. This enhancement is part of Okta's commitment to delivering better product value and security.
Dates and Impacts
The most noticeable impact will be an initial increase in password reset prompts and session logouts for some users. This will occur for any user whose login credentials (username and password) are found in a breached dataset upon their next login attempt.
-
Expanded Protection: The new, expanded third-party breached credentials feed will detect a wider range of compromised passwords.
-
Default Behavior: By default, any user found to have breached credentials will be subject to the protection configured in the password policy, which may result in a forced password reset and/or session termination upon their next login.
-
When It Happens: The feature acts on a user's login attempt. It does not retroactively log out active sessions unless the user attempts to log in with a breached credential.
This change will be rolled out as GA to Okta cells in a phased approach:
|
Cell |
New Password Policy Controls (UI) |
Expanded Third-Party Feed |
|
OK1, EU1 |
September 15, 2025 |
September 30, 2025 |
|
OK3, OK8, OK16 |
September 30, 2025 |
October 7, 2025 |
|
OK2, OK4, OK6, OK11 |
October 7, 2025 |
October 14, 2025 |
|
OK7, OK9, OK12, OK14 |
October 14, 2025 |
October 21, 2025 |
Recommended Actions
To help manage this transition and customize the protection to fit the needs, Okta highly recommends taking the following steps. While no actions are required to avoid service disruption, these steps will help proactively manage the user experience and minimize user disruption.
1. Proactive User Communication - Communicate with the user base before the new features are enabled. Inform them about this security enhancement and let them know that they may be prompted for a password reset if their credentials have been detected in a breach.
2. Review and Configure Remediation - Once the new password policy controls are available in the Okta cell, administrators should review and adjust the settings within their password policies. Customize the remediation actions (e.g., password expiry timeframe, logout behavior, custom workflows) to align with the organization's specific security policies.
-
Documentation: For a detailed guide on configuring these new settings, please refer to the Breached Password Protection documentation.
3. EA Self-Serve - If the features were proactively enabled and the password policies set up during the EA phase, no action is needed. The GA rollout will not impact the settings.
4. Test the Feature - Proactively test the breached credential protection feature in the tenant to understand its behavior and impact before it affects the end-users.
-
Use the special password OKTA-BREACH-TEST to trigger the flow and see the remediation actions in action.
-
Testing Documentation: For more details on how to test, please see the dedicated guide: Test Breached Password Protection.
5. Monitor Password Reset Volume - Anticipate and monitor a potential increase in password reset requests following the rollout of the expanded feed, and ensure the support team is prepared to handle these requests.
Additional Support
For further questions, please contact the Okta representative or use Okta's multiple support resources in the Okta Support Center.
