Skip to main content

Compromised credential detection

Compromised credential detection identifies stolen usernames and passwords from breach datasets in real-time, preventing account takeover before it occurs. When compromised credentials are detected, users are immediately guided to secure alternatives like password resets or passwordless authentication.

💡 Why this matters
You stop account takeover attacks at the source by identifying and blocking known-compromised credentials before they can be used to gain unauthorized access.

Key capabilities​

  • Real-time breach intelligence – Check entered credentials against comprehensive breach datasets during login attempts
  • Automatic credential blocking – Prevent login attempts using known-compromised username/password combinations
  • Forced credential reset – Immediately prompt users to change compromised passwords with guided workflows
  • Passwordless migration – Offer immediate upgrade to passkeys, biometrics, or MFA to eliminate password risks
  • Risk-based enforcement – Apply different responses based on breach severity, credential age, and user context

Outcomes​

Organizations that implement compromised credential detection typically achieve:

  • Eliminated account takeover from known-breached credentials
  • Reduced support burden by proactively addressing credential security issues
  • Accelerated passwordless adoption through security-driven user education

Design principles​

  • Act immediately on breach intelligence rather than waiting for post-incident detection
  • Guide users to stronger alternatives rather than simply blocking access
  • Balance security with usability by providing clear remediation paths
  • Continuously update intelligence to catch newly discovered breaches

Where to configure​

Use these guides to implement compromised credential detection:

Compliance note​

Compromised credential detection supports compliance frameworks by demonstrating proactive security measures and providing audit trails of credential security incidents and remediation actions.

FAQ​

How quickly are new breaches detected?

Breach intelligence feeds are continuously updated to include newly discovered credential compromises, typically within hours or days of public disclosure.

What happens when compromised credentials are detected?

Users can be blocked from login, required to reset passwords immediately, or offered passwordless alternatives depending on policy configuration.

Does this work for all authentication methods?

Compromised credential detection specifically focuses on username/password combinations, encouraging migration to passwordless methods that eliminate this attack vector.

How are false positives handled?

The system uses high-confidence breach datasets and provides administrative controls to manage edge cases while maintaining security effectiveness.

Can users be notified about compromised credentials?

Yes. Users receive clear notifications about credential compromise with step-by-step guidance for securing their accounts through password changes or passwordless enrollment.