The Okta Admin Console application must be configured to allow authentication only via non-phishable authenticators.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-273191	SRG-APP-000065	OKTA-APP-000190	SV-273191r1099764_rule	2025-05-06	1

Description
Requiring the use of non-phishable authenticators protects against brute force/password dictionary attacks. This provides a better level of security while removing the need to lock out accounts after three attempts in 15 minutes.

ℹ️ Check
From the Admin Console: 1. Go to Security >> Authentication Policies. 2. Click the "Okta Admin Console" policy. 3. Click the "Actions" button next to the top rule and select "Edit". 4. In the "Possession factor constraints are" section, verify the "Phishing resistant" box is checked. This will ensure that only phishing-resistant factors are used to access the Okta Dashboard. If in the "Possession factor constraints are" section the "Phishing resistant" box is not checked, this is a finding.

ℹ️ Check

From the Admin Console: 1. Go to Security >> Authentication Policies. 2. Click the "Okta Admin Console" policy. 3. Click the "Actions" button next to the top rule and select "Edit". 4. In the "Possession factor constraints are" section, verify the "Phishing resistant" box is checked. This will ensure that only phishing-resistant factors are used to access the Okta Dashboard. If in the "Possession factor constraints are" section the "Phishing resistant" box is not checked, this is a finding.

✔️ Fix
From the Admin Console: 1. Go to Security >> Authentication Policies. 2. Click the "Okta Admin Console" policy. 3. Click the "Actions" button next to the top rule and select "Edit". 4. In the "Possession factor constraints are" section, ensure the "Phishing resistant" box is checked.