| Finding ID |
Severity |
Title |
Description |
|
V-273202
|
High |
Okta must off-load audit records onto a central log server. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
Satisfies: SRG-APP-000358, SRG-APP-000080, SRG-APP-000125 |
|
V-273194
|
High |
The Okta Dashboard application must be configured to use multifactor authentication. |
To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor authentication uses two or more factors to achieve authentication.
Factors include:
(i) Something you know (e.g., password/PIN);
(ii) Something you have (e.g., cryptographic identification device, token); or... |
|
V-273193
|
High |
The Okta Admin Console application must be configured to use multifactor authentication. |
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires using two or more factors to achieve authentication.
Factors include:
(i) something a user knows (e.g., password/PIN);
(ii) something a user has (e.g., cryptographic identification device, token); or
(iii) something a... |
|
V-273209
|
Medium |
Okta must prohibit password reuse for a minimum of five generations. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication.
Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-273208
|
Medium |
Okta must validate passwords against a list of commonly used, expected, or compromised passwords. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication.
Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-273207
|
Medium |
Okta must be configured to use only DOD-approved certificate authorities. |
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not DOD approved, trust of this CA has not been established.
The... |
|
V-273206
|
Medium |
Okta must be configured to disable persistent global session cookies. |
If cached authentication information is out of date, the validity of the authentication information may be questionable.
Satisfies: SRG-APP-000400, SRG-APP-000157 |
|
V-273205
|
Medium |
The Okta Verify application must be configured to connect only to FIPS-compliant devices. |
Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DOD requires the use of AES for bidirectional authentication because it is the only FIPS-validated AES cipher block algorithm.
For... |
|
V-273204
|
Medium |
Okta must be configured to accept Personal Identity Verification (PIV) credentials. |
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
DOD has mandated the use of the common access card (CAC) to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security... |
|
V-273203
|
Medium |
Okta must be configured to limit the global session lifetime to 18 hours. |
Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate.
In addition to the reauthentication requirements associated with session locks, organizations... |
|
V-273201
|
Medium |
Okta must enforce a 60-day maximum password lifetime restriction. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords,... |
|
V-273200
|
Medium |
Okta must enforce 24 hours/one day as the minimum password lifetime. |
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.
Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy-based intervals; however, if the application allows the user to immediately and continually change... |
|
V-273199
|
Medium |
Okta must enforce password complexity by requiring that at least one special character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor in determining how long it takes to... |
|
V-273198
|
Medium |
Okta must enforce password complexity by requiring that at least one numeric character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-273197
|
Medium |
Okta must enforce password complexity by requiring that at least one lowercase character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-273196
|
Medium |
Okta must enforce password complexity by requiring that at least one uppercase character be used. |
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it... |
|
V-273195
|
Medium |
Okta must enforce a minimum 15-character password length. |
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number... |
|
V-273192
|
Medium |
Okta must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application. |
|
|
V-273191
|
Medium |
The Okta Admin Console application must be configured to allow authentication only via non-phishable authenticators. |
Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security while removing the need to lock out accounts after three attempts in 15 minutes. |
|
V-273190
|
Medium |
The Okta Dashboard application must be configured to allow authentication only via non-phishable authenticators. |
Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security while removing the need to lock out accounts after three attempts in 15 minutes. |
|
V-273189
|
Medium |
Okta must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-APP-000065, SRG-APP-000345 |
|
V-273188
|
Medium |
Okta must automatically disable accounts after a 35-day period of account inactivity. |
Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications must track periods of user inactivity and disable accounts after 35 days of... |
|
V-273187
|
Medium |
The Okta Admin Console must log out a session after a 15-minute period of inactivity. |
A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application... |
|
V-273186
|
Medium |
Okta must log out a session after a 15-minute period of inactivity. |
A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application... |