Protect against password-based attacks – best practices

Okta's General Security offers two options in its Protect against password-based attacks section:

Require possession factor before password during MFA

Block suspicious password attempts from unknown devices

Okta often uses the terms "factor" and "authenticator" interchangeably. Learn more about Okta's ada p tive multifactor authentication (AMFA) and our MSP best p ractices for authenticators.

Require possession factor before password during MFA

We recommend enabling Require possession factor before password during MFA, as it requires users to verify their identity with a possession factor (authenticator) before using a password or other knowledge factor. This helps protect against spray attacks or password guessing. When enabled, this setting overrides a user's preference for remembering their password as the last-used factor.

NOTE: Even when enabled, the requirement for a possession factor before a password does NOT take effect in the following situations:

When MFA is not required

When User enumeration prevention is enabled for Authentication – email or password will always be first

Block suspicious password attempts from unknown devices

We recommend enabling Block suspicious password attempts from unknown devices because it protects against brute-force and spray password attacks while minimizing the negative impacts of these attacks on the activities of legitimate users. When enabled, this settings works in conjunction with the Lock out user after unsuccessful attempts threshold set in the user's governing password policy. If unsuccessful password attempts from an unknown device surpass the user's Lock out user after unsuccessful attempts threshold, Okta:

* Locks out the user account on that device.

* Allows the user account to continue accessing Okta from other known and unknown devices (as long as all governing authentication requirements are successfully met).

By comparison, if this setting is not enabled, surpassing the threshold for unsuccessful password attempts from an unknown device locks out the user account from all devices. If a lockout occurs as the result of a password spray or brute force attack, the legitimate user's access and productivity is interrupted. You must Deep Link into the Okta Admin Console to unlock the user account, and in doing so, the unknown device from which the malicious attack occurred is able to again attempt access.

In some situations, a legitimate user may surpass the threshold set for unsuccessful password attempts from a device unknown to Okta, such as logging in from a new phone for the first time. In this case, once the legitimate user's ID has been confirmed, you need to Deep Link to the Okta Org and n avigate to the person's profile. At the top of the profile, select Allow Unknown Devices. This action permits the user to log in from the device.