Configuring the User Enumeration Prevention feature in Okta Identity Engine (OIE) enhances security by preventing attackers from identifying valid user accounts through authentication or account recovery attempts. Administrators can enable or disable this feature in the Okta Admin Console to manage user enumeration prevention during authentication and recovery scenarios.
- Okta Identity Engine (OIE)
- Multi-Factor Authentication (MFA)
- Security
How can Okta Administrators enable the User Enumeration Prevention feature to prevent attackers from identifying valid accounts?
Navigate to the security settings in the Okta Admin Console and edit the User Enumeration Prevention options to activate the feature for authentication and recovery.
- In the Okta Admin Console, navigate to Security > General.
- In the User Enumeration Prevention section, select Edit.
- Select the desired options to activate the feature:
- Authentication: Manages user enumeration prevention during authentication attempts. Select specific methods to verify a user by clicking the Methods box.
- Recovery: Controls user enumeration prevention during account recovery scenarios.
- Select Save to apply the changes.
NOTE: To deactivate this feature, Okta Administrators should clear the checkboxes for Authentication and Recovery.
How does the authentication flow operate when User Enumeration Prevention is enabled?
NOTE: User Enumeration Prevention is an organization-wide security setting. The example below demonstrates authentication, but the same flow applies to recovery.
When User Enumeration Prevention operates during authentication, signing in requires a two-step verification process. First, the user enters a username. Next, the user must verify their identity by providing either an email address or a password. Okta then presents additional enrolled authenticators. Okta displays both email and password options in the second step, even if the authentication policies require only one factor.
NOTE: To remove the email option, reconfigure the email authenticator and change the Used for option from Authentication and recovery to Recovery.
How does the authentication flow operate when User Enumeration Prevention is disabled?
NOTE: User Enumeration Prevention is an organization-wide security setting. The example below demonstrates authentication, but the same flow applies to recovery.
When User Enumeration Prevention is disabled for the Okta tenant, the sign-in process from a new device allows the user to select the authentication method from among the enrolled and policy-compliant factors.
What are the limitations of User Enumeration Prevention?
User Enumeration Prevention fails to function if the organization uses either of the following features:
- Self-Service Registration.
- Just-In-Time (JIT) Provisioning flows using email authenticators.
This is expected behavior given the nature of these features.
If the organization uses Factor Sequencing, the flow remains unchanged for Okta policies assigned to low-risk authentications. However, for policies designated for high-risk logins, User Enumeration Prevention prompts for a random factor to prevent potential attackers from discovering user authenticator enrollments.
To maintain the desired flow with normal factor sequencing instead of random sequencing, administrators must disable User Enumeration Prevention.
