Responding to a rise in credential theft and advanced social engineering campaigns that can bypass multifactor authentication protections, Okta launched new passkey support at its Oktane 2023 user conference.
Okta's conference takes place in San Francisco this week. The identity and access management vendor announced new products and features related to authentication, phishing resistance and AI. Shiv Ramji, president of customer identity cloud at Okta, and Sagnik Nandy, president and chief development officer of Workforce Identity Cloud, spoke with TechTarget Editorial about the evolving threat landscape and customer concerns that contributed to the new offerings.
While effective single sign-on or multifactor authentication (MFA) protocols remain important to reduce the social engineering attack surface area, Nandy said they're no longer enough. The evolving threat even warranted Okta CSO David Bradbury to issue a recent notice to customers.
"David Bradbury released a reminder to all of our customers that social engineering isn't new, but it's the tactics attackers can use and how real the social engineering attacks can sound," Ramji said. "This is really important for us to figure out because we have to reduce that surface area."
Recent attacks show threat actors can possess wide knowledge of victims' environments, policies and employees. Attackers are using that knowledge to impersonate IT and other staff members to obtain MFA codes. Two such examples were disclosed last month. Developer platform Retool was breached after an attacker impersonated an IT staff member to conduct SMS-based phishing followed by a successful vishing call to obtain authentication logins. It led to the account take-over of one employee and gave the attacker substantial access to Retool's corporate network.
In addition, Okta disclosed last month that four customer organizations saw multiple highly privileged users compromised in another social engineering campaign that occurred between July 29 and Aug. 19. Okta revealed threat actors called IT service desk personnel at targeted organizations and convinced them to reset all MFA factors for administrator accounts. Caesars Entertainment, which disclosed a data breach and ransomware attack last month, was later revealed as one of four victims. Okta also confirmed MGM Resorts, which suffered massive disruptions from a ransomware attack last month, was a later victim of the same social engineering campaign.
As Bradbury said in the customer notice, these are not entirely new problems. Okta's "2022 State of Secure Identity Report" showed MFA bypass attacks increased as more organizations adopted the authentication method that's now a requirement to obtain a cyber insurance policy, among other things. Okta's not the only vendor noticing. During RSA Conference 2023, CrowdStrike detailed a new technique attackers used to bypass MFA protocols.
Okta encourages passkey adoption
Okta on Wednesday launched passkey support for Okta Customer Identity Cloud, which the company hopes will help organizations avoid pitfalls that come from these increasingly advanced social engineering attacks. Ramji said passkey support provides users with phishing-resistant capabilities and eliminates the password attack surface area.
"Passkeys are more secure and I think it will get great adoption because Apple, Google, all the platforms use it," Ramji said. "Our approach is we want to essentially make it easier for developers or our customers to turn it on. You just press a button on the dashboard and it will turn on for customers."
Passkey adoption has increased in recent years as more identity providers look to move beyond the traditional username and password system for authentication. Passkeys, which typically use biometric data for authentication, are seen by experts as a strong alternative because fingerprint or facial recognition scans can't be guessed like user passwords can.
Okta said nearly 20% of businesses using its Customer Identity Cloud are actively using a form of passwordless authentication, and the company hopes to increase that number with the passkey support launch. Scale is essential for Okta because the IAM vendor typically handles millions of logins. Unlike passwords, passkeys are not transmitted to or stored on authentication servers. Instead, passkeys are held on users' devices.
While social engineering threats may be more prevalent for Workforce Identity Cloud users, Ramji said massive bot attacks threaten Customer Identity Cloud users. "We have customers who on a given day had 60-70% of all incoming traffic to their identity or login was fraudulent," Ramji said.
In addition to passkeys, Ramji highlighted other new offerings such as an Identity Flow Optimizer that leverages generative AI, the Actions Navigator by Okta AI and a Security Center that gives enterprises security recommendations and mitigations.
"We're building AI into all of our products," he said.
Embracing AI for threat detection and response
Some of Okta's new offerings focus more on post-authentication risks. New risks were introduced over the last few years with the move to remote work, increased use of BYOD and advancements in AI technology.
"Eighty six percent of breaches stem from some kind of credential abuse and [are] making it easier to create hyper realistic phishing attacks. We've seen a 47% AI-powered increase in successful phishing attacks," Nandy said.
As a result, Okta launched Identity Threat Protection (ITP) with Okta AI, which integrates the vendor's risk signals along with data from partners like Zscaler and Palo Alto Networks. It uses machine learning to continuously evaluate user and session risks. Nandy said it provides an adaptive set of mitigation actions enterprises can then employ if risks are detected.
That includes a universal log-out function, which he said was one of the most requested offerings and the best action to take if enterprises sense the remotest chance that a phishing attack may have occurred. Enterprises can also get a phishing resistance score to determine risk. Additionally, enterprises can use ITP to create a high-risk group with their workflows integration.
Restricting account access was a common strategy in preventing identity-based attacks. During Oktane, Okta announced a new feature to its Identity Governance offering called Cloud Entitlement Management, which was another frequent customer request. Nandy said it will help enterprises give access at the right level whether it's an admin or read-only user.
Okta also launched a new capability in FastPass, its phishing resistance authenticator, called Context Re-evaluation that's available today. Rather than performing security checks only upon login, Context Re-evaluation enables silent device checks every time a user accesses a new application. It's particularly important when it comes to BYOD security, Nandy said.
Lastly, ITP also includes a Log Investigator with Okta AI feature that aims to make it easier for customers to perform analysis of login activity. Users can ask for suspicious logins and see instant results.
Log visibility has been an issue across the cybersecurity industry. Deficiencies were highlighted by an attack in July against Microsoft Exchange Online and Outlook Web Access customers that affected several U.S. federal agencies. After facing criticism that its logging features hindered incident response investigations, Microsoft expanded its premium offerings.
Log Investigator and several Okta AI products were built on Google Vortex AI. The technology was also used for Okta's Policy Recommender offering. Policy Recommender with Okta AI helps enterprises learn which tools to use and when.
Okta said ITP's launch marks its formal entry into the identity threat detection and response market.
Support for passkeys is available beginning today and will be generally available beginning in the fourth quarter of this year. Okta aims to have ITP available in limited early access in the first quarter of 2024. Policy Recommender is launching in limited early access in the first quarter of 2024, while Log Investigator with Okta AI will be in limited early access beginning in the third quarter of 2024.
Arielle Waldman is a Boston-based reporter covering enterprise security news.