Skip to content

The 28 Okta security checks Black Cat runs

Black Cat SSPM evaluates 28 security policies against your Okta configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumDormant Accounts

Suspend or remove Okta accounts inactive for 90+ days

highDormant Super Admins

Demote or deactivate Okta super-admin accounts with no recent login activity

highWeak Password Policy

Strengthen Okta password policy to require at least 12 characters with complexity

mediumWeak Account Lockout

Configure Okta account lockout to trigger after 5 or fewer failed attempts

mediumSession Idle Timeout Too Long

Reduce Okta session idle timeout to 1 hour or less

mediumSession Lifetime Too Long

Reduce Okta maximum session lifetime to 12 hours or less

mediumApp Not Using Federated Auth

Configure SAML or OIDC federation for Okta applications and disable direct password login

mediumApp With Individual User Assignments

Replace individual Okta app assignments with group-based access management

highOAuth App Broad Scopes

Restrict Okta OAuth app scopes to the minimum required by the application

mediumOAuth App Inactive With Grants

Revoke grants and deactivate inactive Okta OAuth applications

mediumOAuth App AI With Broad Access

Restrict or remove broad grant types from AI OAuth apps in the Okta admin console

highAccess Policy Default Not Deny

Set the Okta access policy catch-all rule to deny access by default

highSuper Admin API Tokens

Replace Okta super-admin API tokens with service account tokens using least-privilege permissions

mediumSuper Admin Count Excessive

Reduce Okta super-admin count to 2-4 accounts by demoting unnecessary admins

highSuper Admin Redundancy Missing

Ensure at least two Okta super-admin accounts exist with MFA enrolled

highAdmin API Token Usage

Replace admin API tokens with service account tokens using least-privilege scopes

lowUser Account Suspended

Review suspended Okta accounts and deactivate or reactivate as appropriate

mediumUser Account Locked Out

Investigate locked out Okta accounts for potential brute-force attacks and unlock if legitimate

mediumExcessive Total Admin Accounts

Reduce the total number of Okta admin accounts to 10 or fewer by demoting unnecessary admins

configuration

mediumPassword Policy No Symbol Requirement

Update the Okta password policy to require at least one symbol character

mediumPassword Policy No Username Exclusion

Enable username exclusion in the Okta password policy to prevent users from using their username as a password

mediumAccount Lockout Auto-Unlock Too Fast

Increase the Okta account lockout duration to at least 15 minutes to slow brute-force attacks

lowInactive Application

Delete inactive Okta applications to reduce attack surface and simplify the application portfolio

mfa

highAdmin Without MFA

Require MFA for all Okta super-admins

highMFA Not Enrolled

Enroll all Okta users in MFA

mediumPhishing Resistant MFA Factors

Enable phishing-resistant MFA factors and deprecate SMS and voice call authenticators

mediumSession MFA Not Required

Require MFA for all Okta session establishment in authentication policies

mediumPhishing Resistant Auth Policies

Update Okta authentication policies to require phishing-resistant factors such as FIDO2

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial