OktaOverview
While adopting MFA is a great step forward, some factors are safer than others. As you might imagine a code (OTP) sent through SMS or email, which is still prone to phishing attacks, is considerably less secure than a biometric factor for example.
Remediation guidance
Consult the Okta documentation and, depending on your security requirements, disable certain factors from the Authenticators page and/or edit the rules of your authentication policies from the Authentication Policies page.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
MFA is configured with strong factors
Connectors
Covered asset types
Expected check: eq []
oktaPolicies(where: { type: "MFA_ENROLL", OR:[{allowedFactors_INCLUDES: "phone_number"}, {allowedFactors_INCLUDES: "security_question"}, {allowedFactors_INCLUDES: "okta_email"}]}) {...AssetFragment}
