Dormant Privileged User

A dormant user is a user account that has remained inactive by not completing any successful sign-in for a specified period (90 days by default, customizable through an option).

Dormant users could introduce the following security risks and operational complications:

• As potential targets for attackers if these accounts have weak or unchanged passwords, facilitating a compromise. For example, a CISA alert reported that:

  campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system

• An increase in the organization's attack surface by creating potential vulnerabilities. For example, the same CISA alert reported that:

  Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.

• Access to individuals who no longer require it, such as former employees or interns who never used this account.

• Waste of resources such as licenses. Regular identification, deactivation, or removal of dormant users allow organizations to optimize resource allocation and save unnecessary costs.

Also, consider the related IoE "Never Used Privileged User" which identifies all users that were pre-created but never used. The risk is higher for privileged users. See also the related IOE, "Dormant Non-Privileged User", for non-privileged users.

Note: The IOE relies on the lastLogin property, which has a known limitation: Okta only updates this value when a user accesses the Okta dashboard. As a result, SP-initiated authentications—such as when users access an application directly and are briefly redirected to Okta for authentication—do not update this property. Because of this, the IOE may report false positives for users who have never accessed the Okta dashboard but have successfully authenticated to applications. While Okta has documented a workaround, it is not currently compatible with Tenable Identity Exposure. As a result, you must manually exclude these false positives.

Tenable recommends regularly reviewing, and disabling or deleting dormant users, especially the privileged ones. After identifying them, take the following actions:

1. Disable the users.
2. Wait for a sufficient period, such as a few months to ensure no unintended impact.
3. After this delay, if there are no reported issues, and if the organization's information security policy allows, proceed to delete them.

Name: Dormant Privileged User

Codename: DORMANT-PRIVILEGED-USER-OKTA

Severity: Medium

Type: Okta Indicator of Exposure