HealthInsight tasks and recommendations

HealthInsight provides the following security tasks to improve security for an org.

Security Task

Why is this recommended?

Security Impact

End-User Impact

Limit the number of super admin roles To ensure that org admins aren't assigned more permissions than necessary. Most orgs require only a few super admins. Critical None
Enable Okta ThreatInsight to block suspicious IP addresses To detect suspicious IP addresses from credential-based attacks. Critical Low
Disable weaker MFA factors in factor enrollment policies To improve resistance to phishing and man-in-the-middle attacks. High High
Enable Okta Verify (with Push if available) for MFA To provide end users with a strong and secure factor to sign in to their org. High High
Enforce a limited session lifetime for all policies To reduce the risk of malicious party access to an end user's applications (when an end-user session is active). High Moderate
Enable Suspicious Activity Reporting To give end users the option to report unrecognized activity from an account activity email. High Low
Enable new sign-on email notifications To inform end users by email of any unrecognized activity from a new or unknown device or browser. High Low
Enable factor enrollment notifications To inform end users by email of new MFA enrollment activity on their account. High Low
Enable factor reset notifications To inform end users by email that MFA factors for their account have been reset. High Low
Password changed notification for end users To inform end users by email that the password for their account has changed. High Low
Use SAML or OIDC authentication for app access To use SAML and OIDC authentication protocols, which reduce reliance on password-based authentication. High None
Change the authentication frequency To shorten the session expiration length, require end users to re-authenticate more frequently.

Moderate

Moderate

Evaluate a risk score for each request

To prompt users with medium and high risk scores for MFA every time they sign in.

Moderate

Moderate

Blocklist Network Zones to deny access to your Okta tenant To deny access from known suspicious IP addresses or locations from your Okta tenant. Moderate Low
Enable strong password policy settings To enforce strict password policies that define settings for password lockout, history, minimum age, and minimum length. Low Moderate
Set a required factor for MFA enrollment policies To ensure that end users assigned to a given policy are enrolled in multifactor authentication. Low High

MFA requirements

Ensure that the MFA requirements aren't in conflict with Behavior Detection and that the MFA policy rule isn't bypassed unintentionally.

Moderate

None

MFA for the Admin Console

To enable mandatory mulitfactor authentication (MFA) for all admins who access the Okta Admin Console.

Advisory Statement

HealthInsight and any recommendations about your security practices isn't legal, security, or business advice. The HealthInsight features are intended for general informational purposes only and may not reflect the most current market and legal developments nor all relevant business or legal issues. You're responsible for obtaining legal, security, or business advice from your own lawyer or other professional advisor and shouldn't rely on HealthInsight. Okta isn't liable to you for any loss or damages that may result from your implementation of the recommendations in HealthInsight except as otherwise explicitly agreed to in the signed Master Subscription Agreement (or other such agreement addressing the same subject matter), between you and Okta.