Okta

Addressing New NIST Guidelines with Okta Verify

Karl McGuinness
Senior Director, Identity

The National Institute for Standards and Technology (NIST) generated some buzz yesterday with the release of its Digital Authentication Guideline draft. As part of its purview, NIST recommends national-level guidelines and rules for cryptography and secure communications. In the proposal, NIST recommends implementers consider authenticators other than SMS due to the risk that messages may be redirected or intercepted. We recognize the potential pitfalls of SMS-based authentication and Okta has already begun to shift away from SMS-based authentication as a factor. In fact, Okta’s approach to multi-factor authentication, including leveraging secure mobile apps, biometrics, and unique pins are among the recommendations found in the draft.

Okta Verify authenticates a user by sending a push to their smartphone through the app, which cannot be deflected or interrupted. It also simplifies multi-factor authentication (MFA) by requiring just a single tap from the user. This usability is key, translating to tighter security as employees actually use the tool. In a similar vein, we recently announced Touch ID support for MFA to give users the ability to authenticate a push with their fingerprint. Users who don’t have push can still authenticate through a one-time passcode, where the app generates unique PINs on a 30-second refresh cycle that the user can use to verify their identity.

In addition, we continue to make investments in end-user security, including two recently-released beta features that combat phishing attacks. Unknown Device Email Notification improves account security by notifying a user when they connect to Okta from a new device. The anti-phishing whitelist via the Okta Plugin gives admins the ability to whitelist certain Okta organizations, blocking users from accessing non-company sanctioned Okta organizations and preventing all phishing attempts that use an Okta org. These features enhance Okta’s MFA solution, and build on our efforts to provide a rich policy framework and more device management capabilities.

Alongside our native MFA offerings, we also partner with other industry leaders, like Yubico, to offer comprehensive strong authentication methods for companies of any size or complexity. Through these partnerships and membership with groups such the FIDO Alliance, which develops open protocols for strong authentication, we support the larger security community to help shape methods and standards for the future of authentication.

The draft Guideline from NIST reflects an increasing focus on authentication across industries. In April, the PCI Data Security Standard (PCI DSS) expanded its requirements to include the use of multi-factor authentication for administrators accessing the cardholder data environment in the payments industry. Each industry has users with different needs, and Okta is dedicated to addressing these unique requirements. Okta Verify allows your IT department to easily set protocols appropriate for your organization and users. Our customers, like Amadeaus Capital, have been able to significantly reduce the risk of a security breach through the easy deployment of multi-factor authentication with Okta Verify.

NIST has posted the draft Guideline on GitHub, encouraging the community to weigh in on the final document. As the conversation continues, know Okta has you covered now and stay tuned for more updates coming at Oktane16.

Karl McGuinness
Senior Director, Identity

Karl McGuinness is Director of Platform Product Management at Okta where he is responsible for the core identity services and APIs that provide the foundation of Okta identity layer. He has over 15 years of experience building and scaling mission critical identity infrastructure as a developer, software architect, and product owner. He is passionate about identity and you can always find him chatting about some deep identity problem.

Follow Karl McGuinness