We could not find any easy solutions to address the following attacks on Okta, and even though they are low risk, it looks like every Okta user is exposed.

We did find other similar requests though which were closed, like https://ideas.okta.com/app/*/case/121750 or https://ideas.okta.com/app/*/case/159463, so it seems like many other users noticed the vulnerabilities. Any advise about how to mitigate these is highly appreciated:

1) Any attacker can lock a user's account after N unsuccessful login attempts, and then flood their inbox by repeatedly sending unlock account emails (i.e. email flooding attack). Ideally presenting a Captcha should prevent automated email flooding attack risks but as far as we found out, it is only available to OIE engine Organisations. Or another alternative would be to limit the number of password reset/unlock emails sent (e.g. throttle the emails, say 3 emails per 5 minutes and then do not send any other emails).

2) When an attacker enters the incorrect password for an account N times, they would get the "your account is locked" page for registered accounts, but this unlock message is not displayed for unregistered email addresses, so a different message is displayed if the email the attacker used is not for an actual registered user. This enables attackers to identify registered Okta accounts. Ideally we would want a more generic message returned whether the account used is registered or not, e.g. instead of saying the account is locked or not returning any account locked messages, always return a message along the lines of "account locked, if this is a valid account, an unlock email is sent to this address" so it is not revealed if the email used is for a registered user.