Strategies to Block Suspicious Sign-In Attempts in Okta
May 5, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview
This article details strategies to block suspicious sign-in attempts and defend against malicious authentication attempts, such as password spraying. Implementing these best practices secures the Okta environment against unwanted authentications and credential-based attacks.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Credential-Based attacks
- User Account Lockouts
Solution
What are the best practices for securing Okta against unwanted authentications?
Review the following strategies and configurations to secure the Okta environment against credential-based attacks and suspicious sign-in attempts.
- Improve account lockout behavior by adding the ability to block suspicious sign-in attempts from unknown devices. See How to Block Suspicious Password Attempts from Unknown Devices.
- Add authenticators with different factor types and require a possession factor before a password during sign-in. See Multifactor authentication.
- Block IP addresses from network zones, IP zones, dynamic zones, and Autonomous System Numbers (ASN) from accessing the Okta organization. See Blocklist network zones.
- Leverage Risk Scoring and Behavior Detection to evaluate sign-in requests and prevent credential-based attacks by requiring Multifactor Authentication (MFA) on high-risk logons. See Risk and behavior evaluation.
- Create a common password check and enable password complexity in the Password Policy. See Configure a password policy.
- Utilize CAPTCHA services to prevent automated sign-in attempts and increase organizational security. See CAPTCHAs.
- Integrate with third-party bot detection solutions. Examples of these tools include the following integrations:
- Enable Breached Credentials Protection to provide greater control and stronger defense against account takeover attacks. This protection is enabled by default for all Okta organizations using Okta-sourced or Active Directory-sourced (AD-sourced) password policies. See Breached Credentials Protection Product Enhancement.
