This article provides a resolution on how User Enumeration Prevention affects Self-Service Password Reset (SSPR). User Enumeration Prevention feature enhances security by preventing attackers from identifying valid user accounts through authentication or account recovery attempts.
- Okta Identity Engine (OIE)
- Self-Service Password Reset (SSPR)
- User Enumeration Prevention (UEP)
In certain scenarios, new users who forgot their password and selected SSPR were prompted for SMS or Email for recovery. Since they were brand new users who didn't manage to set up the SMS factor, they never received the SMS recovery code. Even if they did not enroll in SMS, the option will still be present because of the User Enumeration Prevention being enabled for recovery.
To make the recovery process less confusing for users who did not set up certain MFA factors present for recovery, this will need to be turned off. In this way, they will only be displayed with the registered MFA options available for recovery.
NOTE:
- Please take into consideration that disabling User Enumeration Prevention (UEP) carries significant security risks, as it can expose the system to user enumeration and credential-stuffing attacks.
- Before disabling this feature, it is recommended to explore other options, such as preparing users for their first authentication and communicating which factors they can use when multiple are presented.
To disable User Enumeration Prevention:
- In the Okta Admin Console, navigate to Security > General.
- In the User enumeration prevention section, select Edit.
- Uncheck the Recovery option by clicking on the checkbox as shown below:
- Click Save.
