AD Lockouts due to bot password attacks


#1

Hi guys,

We are a uni, and we are facing the following problem (and I am looking for suggestions).
We have been having bot attack / log in attempts (specifically China). Our AD system is set to lock an account out after 3 failed attempts.
OKTA can prevent someone from login from a specific geographical location BUT it applies the rule only after the user has successfully provided a correct username and password.

In our case, that means that the bots try various passwords (which are wrong) and on the third attempt the account is locked.

Prior to getting OKTA, we used ADFS to connect our inhouse AD servers to Office365, now we do it via OKTA (if we still had ADFS, this could have been a solution: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-lockout-protection).

Because I had Chinese students, I cannot blacklist the whole country (which was suggested).
Any other Uni admins outthere that have similar problems and how they went about overcoming them?

Thanks

Aris


#2

Hey @aristeidisk!

Contact support directly, they will help you out: https://support.okta.com/help


#3

Hi there,

I have, but it did not go anywhere. The problem they (support) has was that OKTA controls apply after a successful login, which doesn’t help me because the account locks out due to the failed attempts.

Their only solutions was to advice me to blacklist the origin, which is China… which I cannot do…

Hence me posting here to see if other people have managed a work around.

Aris


#4

I have this exact same issue, and the same setup (I think most of us do using Office 365) and have there is no solution from support.

Were you able to get a solution to this? We had to resort to manually blocking ips which seems very 2002 way of doing things.

From how it was explained to me, the issue is how it is evaluated exactly how @aristeidisk described.

The User name and password is evaluated first and then looks at the geographic rules and not all three at once.


#5

Hi there,

We are still having this issue. Did you find any other work around?
We are thicking of perhaps using reCAPTCHA to stop it?
Something like this perhaps: https://apiant.com/connect/Okta-to-Confident-CAPTCHA
Did you make any progress in a different way?

Kind regards
AristeidisK


#6

Hi @aristeidisk,

Currently, because we a re a a multinational company, we are unable to use zones, on top of that I believe the username and password is evaluated before other policies, so if that is true, it would still lock out the accounts.

I have been looking at the CAPTCHA you mentioned, which should be something that should be standard, with something such as x/2, where x is your defined lockout threshold. This would help with the issue of bots hammering and locking out accounts.

I didn’t get much time to look into it, but it looks like you should be able to implement this (Again, i haven’t gotten to look too deep into it) :

Utilizing custom widgets in Okta - https://developer.okta.com/code/javascript/okta_sign-in_widget
and then using reCaptcha v2/v3 - https://developers.google.com/recaptcha/docs/v3

This would probably be a preferred method for a work-around for Captcha, but looking over it briefly, I think it has no logic and the captcha will always be presented.