Takeaways from Oktane23: Okta AI, universal logout and more

AI for identity

To be useful, AI requires three things: data, models and actions. Okta has an advantage over other cybersecurity and identity vendors in that it has built a massive corpus of identity-specific data gleaned from years of operating both workforce and customer SaaS identity software with more than 18,000 customers. Thus, Okta can train and update its AI models on domain-specific data such that the AI will provide more appropriate, more accurate and more efficient results.

AI is best used when the AI can act directly rather than provide instructions and rely on humans to act. This is where Okta has another advantage: the pre-existing Okta Workflows automation and orchestration tool that Okta AI uses to act where appropriate.

On the workforce side, IT and security teams can use Okta AI to optimize policies, simplify the user experience and automate threat detection and responses. More importantly, Okta AI enables admins to move from point-in-time static analyses to dynamic and data-driven risk assessments throughout the user session.

On the customer side, developers and nontechnical digital teams can use Okta AI to improve sign-up and login flows, increase the accuracy of bot detection and accelerate app development.

A key feature that Okta demoed at Oktane23 was the ability to apply Okta AI in A/B testing of user interface decisions, where the AI provides suggestions based on real-world data collected from the combined experiences of all of Okta's customers. This can enable even those with little to no user experience expertise to create efficient sign-up and login flows that optimize app interactions and user engagement.

While I think that Okta will be transformative, I'm always concerned about data security -- especially when using customer data in large opaque AI models. Okta emphasized its commitment to data security and privacy by keeping customer personal data segregated and eliminating private and sensitive data from AI training data sets.

Okta Identity Threat Protection and universal logout

Identity-related threat detection has been around for a long while -- we used to call it user and entity behavioral analytics (UEBA). The sad truth is that legacy software and compute power limited the capability of UEBA to basic and simplistic use cases, such as detecting impossible travel or IP address-based geolocation.

Over time, UEBA has morphed into identity threat detection and response (ITDR) focusing on using modern analytical capabilities to expand detection to more complex identity-related threats.

This transforms how identity and security professionals respond to threats, drastically shrinking the attacker's window of opportunity.

I'm really excited by how Okta's new Identity Threat Protection can take UEBA and ITDR two big steps further. First, Okta AI was trained on real identity data, including actual identity attacks. This makes the AI model more accurate, provides more coverage for complex real-world attack scenarios and likely makes the AI faster, enabling it to detect attacks as they happen rather than after the fact.

But what happens when an attack in progress is detected? The traditional process during an investigation is to terminate all active sessions to eject the attacker from the environment. This, however, is a very difficult task that first requires the security team to manually identify all apps and accounts associated with a targeted or compromised identity, then manually log in to each app as an admin to terminate the login. This provides a large window of opportunity for the attacker to move laterally throughout the environment, compromising additional identities and systems and doing untold amounts of damage.

Okta sits in a unique position inside the IT environment in that Okta Workforce Identity Cloud is involved in every login to every app in the environment and knows about every active session. This enables the second big step in advancing ITDR: Okta's universal logout. The moment an attack is detected, Okta Identity Threat Protection can use Okta Workflows to automatically terminate every active login and session and invalidate session cookies or other long-lived access tokens.

This transforms how identity and security professionals respond to threats, drastically shrinking the attacker's window of opportunity.

Passkeys for Customer Identity Cloud

In late 2022, I predicted that 2023 would be the year for passwordless authentication. Indeed, Apple, Google and Microsoft are building support for FIDO passkeys into all browsers and devices.

With just a quick flip of a configuration switch for Okta Customer Identity Cloud, developers and digital teams can enable phishing-resistant passwordless authentication.

Just how important is this? According to my recent research on passwordless authentication, 25% of organizations said they have already implemented it for their customers. More importantly, another 51% are in the testing and proof of concept phase, and 10% expect to evaluate passwordless authentication in the next 12-24 months.

The demand for passwordless authentication is great because most options, like FIDO passkeys, are phishing-resistant -- meaning they eliminate the possibility of attackers manipulating users into revealing their passwords or multifactor authentication factors, as was the case in the Caesars and MGM attacks just last month.

The sooner we eliminate passwords, the safer we'll be.

Okta for Good

I was very happy to see that Okta is investing in building the community. This is especially important considering the ongoing cybersecurity skills shortage. The Okta for Good program supports workforce development by providing 5,000 Okta certification grants to professionals in career transition to grow their Okta skills. The program grants more than $1.6 million to cybersecurity and STEM workforce development organizations to support early-in-career individuals.

I also very much appreciated that Okta decided to forgo giving out swag to attendees; who needs yet another backpack, T-shirt or socks? Instead, Okta donated the swag budget to World Central Kitchen, Chef Jose Andres' charitable organization devoted to providing food and meals in the wake of natural disasters. Andres is an Okta customer and was the opening keynote speaker.

What's next?

I've highlighted some of Okta's key AI and security developments. In addition to these, Okta is adding many other features that use AI to transform the role of identity in IT and cybersecurity, improving operational efficiency and reducing risk.

Some of the other new features include the following:

• Fine-grained authorization for Customer Identity Cloud that enables developers to quickly and easily incorporate both coarse- and fine-grained authorization policies for any application.
• Verifiable Credentials with Mobile Driver's License that enable Customer Identity Cloud apps to perform online verification of mobile driver's licenses with support from Customer Identity Cloud.
• Governance Analyzer that uses Okta AI to analyze behavior across the environment to provide the best governance decisions for Workforce Identity Cloud.
• Fast Pass and Yubico solves the passkey bootstrap problem by enabling administrators to onboard new employees by sending employees YubiKeys with pre-enrolled passkeys.

Okta is now the largest independent identity vendor. In my discussion with Okta execs and product developers, I learned that Okta understands how central identity is to both IT operations and cybersecurity. It continues to invest in AI to improve operational efficiency and cybersecurity and transform the user experience.

Senior Analyst Jack Poller covers identity and data security at TechTarget's Enterprise Strategy Group. He has over 25 years of industry experience across a broad range of systems, storage, networking and cloud-based products and markets.