The 28 Okta security checks Black Cat runs
Black Cat SSPM evaluates 28 security policies against your Okta configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Suspend or remove Okta accounts inactive for 90+ days
Demote or deactivate Okta super-admin accounts with no recent login activity
Strengthen Okta password policy to require at least 12 characters with complexity
Configure Okta account lockout to trigger after 5 or fewer failed attempts
Reduce Okta session idle timeout to 1 hour or less
Reduce Okta maximum session lifetime to 12 hours or less
Configure SAML or OIDC federation for Okta applications and disable direct password login
Replace individual Okta app assignments with group-based access management
Restrict Okta OAuth app scopes to the minimum required by the application
Revoke grants and deactivate inactive Okta OAuth applications
Restrict or remove broad grant types from AI OAuth apps in the Okta admin console
Set the Okta access policy catch-all rule to deny access by default
Replace Okta super-admin API tokens with service account tokens using least-privilege permissions
Reduce Okta super-admin count to 2-4 accounts by demoting unnecessary admins
Ensure at least two Okta super-admin accounts exist with MFA enrolled
Replace admin API tokens with service account tokens using least-privilege scopes
Review suspended Okta accounts and deactivate or reactivate as appropriate
Investigate locked out Okta accounts for potential brute-force attacks and unlock if legitimate
Reduce the total number of Okta admin accounts to 10 or fewer by demoting unnecessary admins
configuration
Update the Okta password policy to require at least one symbol character
Enable username exclusion in the Okta password policy to prevent users from using their username as a password
Increase the Okta account lockout duration to at least 15 minutes to slow brute-force attacks
Delete inactive Okta applications to reduce attack surface and simplify the application portfolio
mfa
Require MFA for all Okta super-admins
Enroll all Okta users in MFA
Enable phishing-resistant MFA factors and deprecate SMS and voice call authenticators
Require MFA for all Okta session establishment in authentication policies
Update Okta authentication policies to require phishing-resistant factors such as FIDO2