This article is intended to provide information about a necessary configuration update for customers using the Breach Credential Protection feature to prevent unauthorized password changes and mitigate a potential risk of user disruption.

Please review this article carefully and complete the two required remediation steps outlined below immediately to protect your users.

What is the Risk?

The Breached Credentials Protection feature is designed to protect users by expiring their password and forcing a password change when the credential (i.e. username and password pair) used at login match a credential found in a public data breach. The risk occurs when an organization's password policy does not enforce multi-factor authentication (MFA) during this password change flow.

• The Scenario: If an attacker attempts to use a breached credential, the Breached Credentials Protection feature will correctly expire the password.

• The Exposure: If your password policy does not require MFA during the subsequent password change flow, the attacker can set a new password without a second factor.

• The Risk: This allows the attacker to successfully change the password, gain access to the account, and potentially lock out the legitimate user.

Secure configuration of the password change flow is required to secure the Breached Credentials Protection’s intended defense mechanism and reduce the risk of account takeover (ATO). 

Two-Step Remediation Process for OIE Customers

Okta Identity Engine (OIE) customers using the Breached Credentials feature should complete the following two steps:

Step 1: Enable the EA Feature 

• In the Admin Console, navigate to Settings > Features and enable the “Okta account management policy for expiring passwords” Early Access (EA) feature. This feature is required to activate the necessary policy controls in the next step.
   

Step 2: Secure Your Password Policy

1. Update your Okta Password Policy to require MFA during all password change flows, password expiry triggered by Breached Credentials Protection. To do so, first ensure self-service password change is enabled in your password policy rule. 
    
2. Next, configure the access control to use “Authentication policy”.
    
3. Next, navigate to the Okta Account Management Policy and edit the automatically created “Password Expiry Rule”:
    
   
   

4. Configure the recovery authenticators you want to allow for the password expiry flow. Okta recommends using strong, phishing-resistant factors:
   

These steps will ensure that an attacker cannot set a new password without being prompted for MFA after Breached Credentials Protection has successfully expired the old password.

What Okta is Doing

We are working to integrate this secure-by-default configuration as the default behavior for Breached Credentials password expiry flow:

• Product Clarity: We are updating Breached Credentials Protection configuration pages with dynamic helper text to clearly warn administrators that they must configure MFA during the password change flow before enabling Breached Credentials Protection in enforced mode.

• Monitoring & Support: We have implemented enhanced monitoring to detect indicators of exploitation and have fully trained our Support team to guide customers through this critical two-step remediation process.