Connect with us

Hi, what are you looking for?


Identity & Access

Okta Adds Threat Intel to Network Context to Eliminate Passwords

Okta Unveils Adaptive Single Sign-On and Enhanced Adaptive Multi-Factor Authentication Products

Okta Unveils Adaptive Single Sign-On and Enhanced Adaptive Multi-Factor Authentication Products

The adequacy of passwords as a security defense has long been discussed and criticized. The 2017 Verizon Data Breach Investigation Report (DBIR) reported that 81% of hacking-related breaches involve stolen or compromised user credentials — and yet there is no generally accepted alternative. Multi-factor user authentication — which requires an additional user token or biometric — helps, but does not solve the problem.

With traditional approaches there is a simple contradiction: the more security that is applied to user authentication, the greater the disruption (known as ‘friction’) imposed on user workflows. When companies strive for a seamless user experience, for both their customers and their workforce, this is a problem. “For companies trying to deliver seamless and secure user-experiences, passwords are a real pain,” explained Joe Diamond, director of security product marketing management at Okta, in a blog post. “Either they’re complex — and therefore difficult for employees and customers to remember — or they’re prime targets for nefarious hackers.”

Okta Logo

In recent years there has been a growing development and acceptance of additional passive authentication factors to improve security without disrupting the user. Passive in this sense simply means that the authentication is automatically taken without user involvement.

One of the most important passive factors is context, and identity companies are increasingly incorporating contextual factors such as user location (IP address), time (is it reasonable for this user to want access at this time?), and destination (does this user likely or commonly need access to these files?) to bolster the initial password authentication. But notice the much-decried password is still necessary.

Okta, which provides identity systems for corporations, has a device trust model to enhance the security of remote logins. It uses, for example, Exchange ActiveSync certificates to prevent unmanaged devices from accessing Office 365. Today, however, it has announced the addition of a new context factor that it believes will largely enable the elimination of passwords: ThreatInsight. 

ThreatInsight is based on the understanding of threats and suspicious activity seen by Okta’s incident response team across the company ecosphere of 4,350 customers and 5,500 partners in the Okta Integration Network. 

Advertisement. Scroll to continue reading.

“By blending context signals with this intelligence,” writes Diamond, “Okta’s Adaptive MFA solution will be able to more effectively provide businesses with the seamless, simple authentication experience that companies have grown to depend on. We’ve also introduced Adaptive Single Sign-on (SSO), which provides a simple, secure authentication experience for users and integrates with third-party enterprise mobility management solutions, such as Airwatch or MobileIron, for device trust. With this combination of Adaptive SSO, MFA, and ThreatInsight, IT and app development teams can move toward a context-driven security approach — one that may eventually eliminate passwords after all.”

“The best password is no password at all,” adds Todd McKinnon, CEO and co-founder of Okta. “Over the past few years, we’ve invested heavily in new security technologies that provide the right level of protection for the many apps and services an organization uses today, which can vary by company, by app, by user, and by scenario. Now we’re using both those signals across a user’s login context as well as insight from across our ecosystem to improve an organization’s ability to set stronger access controls and make faster, more intelligent decisions when there may be a concern — and allow companies to replace the password with stronger, simpler authentication.”

By combining all the different contextual factors, the Okta Adaptive MFA product is able to make dynamic access decisions. It can determine between low risk access requests and high-risk access requests; and only require traditional authentication measures such as a password if the risk level requires it.

For example, a user attempting authentication from a recognized IP address from a known managed device, it could be considered low risk and allowed without the necessity for a password.

If the authentication request comes from a known but unmanaged device in a new location, it could be considered moderate risk. The user would be prompted with security question and asked to prevent a second factor.

If the user attempts to authenticate from an unmanaged and unknown device and from a connection with a high threat level, the user would be considered ‘high risk’ and Okta would disallow access.

Banks provide an example of the problem with password authentication. Banks by their nature require strong authentication, which is not provided by passwords alone. But they also require user-friendly authentication (for fear of losing customers), which is not provided by standard multi-factor solutions. The National Bank of Canada believes it has found the right compromise with Okta. 

“National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience,” said Alain Goffi, vice president, IT Infrastructures at National Bank of Canada. “Okta’s smart authentication and contextual capabilities enable us to give our clients a seamless, secure online experience.”

Okta’s ThreatInsight is scheduled to be available during the second half of this year.

Related: Is Passive Authentication the Future for User Authentication? 

Related: When Multi-Factor Authentication Fails 

Related: The Kiss of Death for Passwords: Machine Learning? 

Related: These Were the Most Common Passwords Used in 2016

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.