Check: OKTA-APP-000180
Okta Identity as a Service (IDaaS) STIG:
OKTA-APP-000180
(in version v1 r1)
Title
The Okta Dashboard application must be configured to allow authentication only via non-phishable authenticators. (Cat II impact)
Discussion
Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security while removing the need to lock out accounts after three attempts in 15 minutes.
Check Content
From the Admin Console: 1. Go to Security >> Authentication Policies. 2. Click the "Okta Dashboard" policy. 3. Click the "Actions" button next to the top rule and select "Edit". 4. In the "Possession factor constraints are" section, verify the "Phishing resistant" box is checked. This will ensure that only phishing-resistant factors are used to access the Okta Dashboard. If in the "Possession factor constraints are" section the "Phishing resistant" box is not checked, this is a finding.
Fix Text
From the Admin Console: 1. Go to Security >> Authentication Policies. 2. Click the "Okta Dashboard" policy. 3. Click the "Actions" button next to the top rule and select "Edit". 4. In the "Possession factor constraints are" section, ensure the "Phishing resistant" box is checked.
Additional Identifiers
Rule ID: SV-273190r1099763_rule
Vulnerability ID: V-273190
Group Title: SRG-APP-000065
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000044 |
Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
| Number | Title |
|---|---|
| AC-7 |
Unsuccessful Logon Attempts |