ALL communication between Okta and the customer is protected by TLS 1.2 capable services supporting Perfect Forward Secrecy (PFS). Okta supports Perfect Forward Secrecy (PFS) on all services which creates a unique TLS session key which means an attacker with Okta's private keys could not read previously captured traffic via sniffing or man-in-the-middle attacks.
We create a very secure hash of the username, password and a unique user ID. This is salted and hashed with SHA256 in the same way Office 365 stores AD credential data. Note we do not just store your AD hash.
I had a couple of similar concerns from users and it is something that is a concern for me as well. Is there a white paper or any form of documentation that we can have access to, so that we can have a more detailed view?