We tend to think of passwords in terms of modern technology—a reliable method of logging into (and securing) everyday apps like Gmail and Facebook. But passwords have been around for a long time. Consider the secret code words used to open locked doors hundreds of years ago. Why are we still using this outdated form of authentication? It’s become clear that passwords don’t work very well in a digital context—the average user has 150 online accounts! The strain of remembering all those credentials leads to password reuse. This plays right into the hands of hackers, who use methods like credential stuffing and password spraying attacks to steal them and gain access to numerous accounts using identitcal passwords.
From passwords to MFA
The solution to this problem is multi-factor authentication (MFA). MFA reduces the risk of compromised passwords by requiring one or more extra pieces of information from a user, aside from a simple knowledge factor like a password or security question. This could be something they have, such as a hardware token, or something they are (many systems now use a biometric property) like a fingerprint, to grant access.
But as good as MFA can be at reducing security risks, it does introduce a new challenge: login friction. It’s no surprise that users can find MFA frustrating, since it places additional barriers between them and the access they seek. Where access was once quick and easy, MFA has the potential to complicate login and make it harder for employees to do their work.
For this reason, Okta offers Adaptive MFA, which assesses a user’s login context and helps admins to make an access decision based on criteria such as:
- Location context and impossible travel: Is the login from a new city, state, country, or unusual geolocation? It also scans for impossible travel patterns—for example, is a login attempt occurring from Bangkok just four hours after the user’s regular login in San Francisco?
- Device context: Adaptive MFA can detect if a login is from a new or managed device—including ones that are pre-registered and managed with enterprise mobility management (EMM) software, such as JAMF and VMWare Workspace ONE. Should a mobile or desktop device be managed by an EMM or mobile device management (MDM) solution before users access Okta-managed applications? Okta can help to facilitate this check before app access is granted.
- Network context: Adaptive MFA looks for new IP addresses, specified IP zones, and proxies or VPNs that try to conceal this information.
Based on this information, Okta then grants access, denies access, or prompts for an additional authentication factor such as a push notification via Okta Verify.
This contextual access management approach has two benefits. First, it improves security by flagging any suspicious logins and allowing admins to set policies—such as choosing which authentication factors to set up. Second, it allows organizations to reduce login friction by adapting the authentication process to the login context. In other words, if users are working from the office, they might only need to authenticate through the Okta Verify app once every 24 hours. However, if they log in from a new location, IP, or device, a more robust factor, such as a token or biometric factors, can prompt the user.
The ability to set policies that control the authentication process allows admins to balance security with easy access, but Okta’s ThreatInsight takes it one step further. It combines policies with intelligent insights to ensure that threats are not overlooked. Using Okta’s network effect across the billions of authentications in the service, ThreatInsight collects and analyzes data and behavioral signals to reveal risks—like password spray attacks and credential stuffing—across suspicious IP addresses that could otherwise go unnoticed. By using the data captured from Okta ThreatInsight, admins can set risk-based authentication policies that don’t soley depend on company parameters, but also the real-world risks companies face.
Combining Adaptive MFA with ThreatInsight provides the login experience admins and users crave: hassle-free authentication without compromising security. By allowing ThreatInsight to assess the risk of an authentication event, the login process can be reduced to just 3 easy steps:
- A username is entered.
- ThreatInsight evaluates the risk associated with that particular login.
- If the risk level is sufficiently low, the user simply taps an Okta Verify push notification to gain access.
Building a passwordless future
Using the tactics we've outlined, the need for a password disappears. Thanks to Adaptive MFA and ThreatInsight, secure passwordless authentication is becoming a reality. At Okta, we’re excited to say goodbye to this broken security approach and offer a login experience that makes life easier for everyone.
Want to find out how you can take advantage of ThreatInsight and go passwordless with Okta? Download our How to Go Passwordless with Okta whitepaper!