MatthewH.10249 (State of Iowa) asked a question.
Can you limit false positive password spraying attacks by ThreatInsight?
It appears that password spraying attacks are blocked by ThreatInsight based on the client's IP. We have recently deployed an app to 40k+ users and many users will have the same outbound IP because they are coming from the same organization. If let's say that 100 people share the same IP and within a short period of time they all try to login and several enter an incorrect password a couple times each would the combined activity trigger a possible password spray attack? Besides whitelisting IPs what else can we do to limit the number of false positive password spraying attacks?
Hi @MatthewH.10249 (State of Iowa) , Thank you for reaching out to the Okta Community!
There is no additional out-of-the-box option at this time.
I ran this question by some of my colleagues as well and it's my understanding that there might be some mitigating steps that could be taken, but they would fall outside of the Okta Community/Okta Support scope, more in the realm of Professional Services, which ultimately might not offer complete coverage for this use case.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Thanks for the feedback! I'll follow up with my Okta CSM or Okta Support and try to get more details on possible mitigation steps. I'll try to share what I find so others with have this information.