| V-273193 | | The Okta Admin Console application must be configured to use multifactor authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires ... |
| V-273194 | | The Okta Dashboard application must be configured to use multifactor authentication. | To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and c... |
| V-273202 | | Okta must off-load audit records onto a central log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-273186 | | Okta must log out a session after a 15-minute period of inactivity. | A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syste... |
| V-273187 | | The Okta Admin Console must log out a session after a 15-minute period of inactivity. | A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syste... |
| V-273188 | | Okta must automatically disable accounts after a 35-day period of account inactivity. | Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive acc... |
| V-273189 | | Okta must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ... |
| V-273190 | | The Okta Dashboard application must be configured to allow authentication only via non-phishable authenticators. | Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security w... |
| V-273191 | | The Okta Admin Console application must be configured to allow authentication only via non-phishable authenticators. | Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security w... |
| V-273192 | | Okta must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application. | Display of the DOD-approved use notification before granting access to the application ensures that privacy and security notification verbiage used is... |
| V-273195 | | Okta must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-273196 | | Okta must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-273197 | | Okta must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-273198 | | Okta must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-273199 | | Okta must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-273200 | | Okta must enforce 24 hours/one day as the minimum password lifetime. | Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restri... |
| V-273201 | | Okta must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed at specific intervals.
One method of minimizing... |
| V-273203 | | Okta must be configured to limit the global session lifetime to 18 hours. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When applications provide the capabi... |
| V-273204 | | Okta must be configured to accept Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DOD has mandated the use of the common access car... |
| V-273205 | | The Okta Verify application must be configured to connect only to FIPS-compliant devices. | Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safe... |
| V-273206 | | Okta must be configured to disable persistent global session cookies. | If cached authentication information is out of date, the validity of the authentication information may be questionable.
Satisfies: SRG-APP-000400, S... |
| V-273207 | | Okta must be configured to use only DOD-approved certificate authorities. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD syst... |
| V-273208 | | Okta must validate passwords against a list of commonly used, expected, or compromised passwords. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication.
Long password... |
| V-273209 | | Okta must prohibit password reuse for a minimum of five generations. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication.
Long password... |
