Minimizing Bot Abuse with Okta Captcha

Objective: Enable CAPTCHA into your Okta environment to minimize and prevent bot attacks

Okta Documentation: https://help.okta.com/oie/en-us/Content/Topics/Security/Security_General.htm?cshid=csh-captcha#captcha

End-user experience:https://d3qf9korp5eh7x.cloudfront.net/catpcha.gif

Setup Site and API Key from CAPTCHA provider

For this demonstration, we will use HCAPTCHA.

Step 1: Sign up for an account at HCAPTCHA – https://www.hcaptcha.com/

Step 2: After signing up, it will automatically create a SITE key and SECRET key. Copy the Site Key and Secret key, you will use these values to configure in Okta. If you’re creating a new site, the page below will show up. Make sure you add your domain (e.g.: subdomain.okta.com)

Step 3: To get the SECRET key, Navigate to the top right corner (Your Avatar/Profile) → Click Settings.

Step 4: You’re DONE!

Configuration Steps in Okta (hCPATCHA flow)

Step 1: Navigate to Security → General

Step 2: Go to the CAPTCHA Integration section. Select either one of the following:

  1. hCAPTCHA – if you want to have the end-user select images as the verification process first before navigating to the authentication screen
  2. reCAPTCHA – if you want Google to verify the session behind the scenes, meaning if Google sees something fishy, Google will stop the authentication flow and never let the user proceed to the authentication sequence.

Step 3: After entering the values generated above, select where you want CAPTCHA to be enabled. In this demo, I’ll just go with Sign-in flow. Click Save.

Step 4: Your DONE!

Leave a Reply