Rule ID
SV-273205r1098882_rule
Version
V1R2
CCIs
Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DOD requires the use of AES for bidirectional authentication because it is the only FIPS-validated AES cipher block algorithm. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network; the internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to apply the requirement only to those limited number (and type) of devices that truly need to support this capability.
From the Admin Console: 1. Go to Security >> Authenticators. 2. From the "Setup" tab, select "Edit Okta Verify". 3. Review the "FIPS Compliance" field. If FIPS-compliant authentication is not enabled, this is a finding.
From the Admin Console: 1. Go to Security >> Authenticators. 2. From the "Setup" tab, select "Edit Okta Verify". 3. In the "FIPS Compliance" field, choose whether users enrolling in Okta Verify can use FIPS-compliant devices only or any device. 4. Click "Save" after making any changes.