Okta, an identity and access management vendor, has unveiled new passkey support at its Oktane 2023 user conference in response to the increasing threat of credential theft and advanced social engineering campaigns. The launch comes as Okta seeks to address customer concerns regarding the evolving threat landscape.
During an interview with TechTarget Editorial, Shiv Ramji, president of customer identity cloud at Okta, and Sagnik Nandy, president and chief development officer of Workforce Identity Cloud, discussed the importance of reducing the social engineering attack surface area. While single sign-on and multifactor authentication protocols remain effective, Nandy argued that they are no longer sufficient in combating evolving threats. In fact, Okta’s Chief Security Officer, David Bradbury, recently issued a notice to customers regarding the importance of recognizing and addressing social engineering tactics.
Recent attacks have highlighted that threat actors possess an extensive knowledge of victims’ environments, policies, and employees. This knowledge enables attackers to impersonate IT and other staff members in order to obtain MFA codes. For example, Retool, a developer platform, fell victim to an attack in which an attacker impersonated an IT staff member and conducted SMS-based phishing followed by a successful vishing call, ultimately leading to the account takeover of one employee and granting the attacker significant access to Retool’s corporate network. Additionally, Okta disclosed that four customer organizations experienced highly privileged users being compromised in a social engineering campaign, with organizations such as Caesars Entertainment and MGM Resorts falling victim to the same attack.
According to Okta’s “2022 State of Secure Identity Report,” MFA bypass attacks have been on the rise as more organizations adopt this authentication method. As a response to this increasing trend, Okta has launched passkey support for Okta Customer Identity Cloud. Passkeys, which typically utilize biometric data for authentication, provide users with phishing-resistant capabilities and reduce the attack surface area associated with passwords. Ramji expressed confidence in the adoption of passkeys, citing the use of this authentication method by platforms such as Apple and Google. The ease of enabling passkey support further incentivizes its adoption, with users being able to turn it on with just a button press on the dashboard.
Okta has observed an increase in the adoption of passwordless authentication, with approximately 20% of businesses using its Customer Identity Cloud actively using a form of passwordless authentication. Passkey support aims to further increase this number. Okta, as an identity and access management vendor handling millions of logins, emphasizes the importance of scale. Passkeys are not transmitted to or stored on authentication servers; instead, they are held on users’ devices, enhancing security.
In addition to passkeys, Okta has introduced other offerings, including Identity Flow Optimizer, which leverages generative AI, and the Actions Navigator and Security Center, both empowered by Okta AI. Ramji highlighted the company’s commitment to incorporating AI into all its products.
Recognizing the increasing risks posed after authentication, Okta has developed Identity Threat Protection (ITP) with Okta AI. This feature integrates risk signals from Okta and partner data sources like Zscaler and Palo Alto Networks, utilizing machine learning to continuously evaluate user and session risks. ITP offers an adaptive set of mitigation actions to enterprises if risks are detected, including a universal log-out function, a phishing resistance score, and the ability to create a high-risk group with workflow integration. This marks Okta’s formal entry into the identity threat detection and response market.
Passkey support is available immediately and will be generally available in the fourth quarter of this year. Okta aims to make ITP available for limited early access in the first quarter of 2024, while Policy Recommender and Log Investigator with Okta AI will be available for limited early access in the first quarter of 2024 and the third quarter of 2024, respectively.
Okta’s latest offerings highlight the company’s commitment to addressing the evolving threat landscape and providing customers with improved authentication and threat detection capabilities. By combining passkey support and AI-powered solutions, Okta aims to strengthen security measures and reduce the risk of credential theft and social engineering attacks.