STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Okta Identity as a Service (IDaaS) Security Technical Implementation Guide

V-273191

CAT II (Medium)

The Okta Admin Console application must be configured to allow authentication only via non-phishable authenticators.

Rule ID

SV-273191r1099764_rule

STIG

Okta Identity as a Service (IDaaS) Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000044

Discussion

Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security while removing the need to lock out accounts after three attempts in 15 minutes.

Check Content

From the Admin Console:
1. Go to Security >> Authentication Policies.
2. Click the "Okta Admin Console" policy.
3. Click the "Actions" button next to the top rule and select "Edit".
4. In the "Possession factor constraints are" section, verify the "Phishing resistant" box is checked. This will ensure that only phishing-resistant factors are used to access the Okta Dashboard.

If in the "Possession factor constraints are" section the "Phishing resistant" box is not checked, this is a finding.

Fix Text

From the Admin Console:
1. Go to Security >> Authentication Policies.
2. Click the "Okta Admin Console" policy.
3. Click the "Actions" button next to the top rule and select "Edit".
4. In the "Possession factor constraints are" section, ensure the "Phishing resistant" box is checked.