Okta Releases FIPS 140-2 Validated Encryption in Okta Verify

Credential phishing is a real and growing threat, and multi-factor authentication (MFA) is an effective protection against it. The strength of MFA lies in its requirement to present additional valid factors, beyond a password, to gain access, thwarting would-be attackers. But not all factors are created equal.

Some factors, like security questions, are inexpensive and easy to implement, but have lower assurance, as users often choose answers that may be easy to guess. Other factors, such as physical security tokens, are more secure due to their tangibility, paired with their encryption technologies. Both of these characteristics make it harder for attackers to intercept or steal the correct passcodes. However, physical tokens are expensive to deploy and may become lost or forgotten, preventing users from accessing critical business resources when needed most.

A popular solution that balances security with convenience has been software-based factors, such as Okta Verify, that users can download onto their personal mobile devices. An Okta-native MFA factor with support for iPhone and Android devices, Okta Verify is included with all Okta IT products, making it an easy and cost-effective solution for Okta customers to deploy. And with our recent completion of FIPS 140-2 validation, we’re excited that even more customers will benefit from the security and ease-of-use of this factor, particularly those with compliance requirements outlined by the U.S. National Institute of Standards and Technology (NIST).

What is FIPS 140-2?

The Federal Information Processing Standard (FIPS) 140-2 is a benchmark and certification program for cryptographic modules. In a nutshell, FIPS 140-2 validation ensures crypto key management and protection according to NIST standards, and the proper use of approved NIST crypto algorithms.

What was validated?

FIPS 140-2 validation does not mean an entire product must be validated—the validation only applies to cryptographic modules. In this case, it includes Okta Verify time-based, one-time password (TOTP) generation, signing, and validation on both client and server sides, as well as Okta Verify Push token generation and encryption on the client side.

Organisations requiring FIPS 140-2 compliance can now enable “FIPS-mode encryption” with Okta Verify. This means that passcodes and push notifications generated by Okta Verify on the following device versions are FIPS 140-2, Level 1 compliant:

  • All versions of Okta Verify on Apple iOS 7 and higher
  • Okta Verify versions 4.4.0 and higher on Android 6 and higher

Who needs to comply with FIPS 140-2?

Using FIPS-validated MFA is a requirement for many regulated industries, U.S. federal and state government agencies, and government contractors or suppliers. For example, healthcare organisations must use FIPS-validated MFA for Electronic Prescription of Controlled Substances (EPCS) systems. Providers of cloud services to the U.S. government must also adopt FIPS 140-2 validated encryption to meet FedRAMP requirements, and FIPS-validated MFA to meet the elevated FedRAMP Moderate or High baselines. There are also requirements for FIPS-validated encryption in the finance and military sectors.

At Okta, we’re excited to provide this option to these organisations, who can now take full advantage of Okta Verify to secure identity and enable their businesses. To learn how Okta Verify or our other solutions work, take advantage of our free trial.