Defending Against Identity Attacks Today and Tomorrow

Anyone who’s ever had their account hacked knows firsthand just how vulnerable our digital identities can be. But having our identities jeopardized doesn’t have to be our fate. Instead, users can take a future-proof approach to protecting themselves from the onslaught of costly identity attacks—both in their personal and professional environments.

Four popular account takeover methods

Hackers have a myriad of ways to compromise user identities to access sensitive data. Let’s review some of the most common methods.

  • Credential theft: Although credential theft can be achieved through DNS hijacking, malware, and real-time man-in-the-middle attacks, it’s most often achieved through phishing on high-value accounts. The attacker creates a mock site that’s designed to fool the user into thinking it’s legitimate and shares this with the targeted user via text, Instagram DM, email, or any number of other channels. Once the user keys in their credentials, they give the attackers what they need to access their personal data.
  • Credential stuffing: This happens when an attacker acquires a large collection of stolen or compromised credentials and then—banking on the fact that users often use the same password across multiple accounts—creates an automated tool or script to apply those logins to a number of different sites.
  • Password spray: Attackers can easily uncover a company’s email pattern, giving them access to their corporate usernames. By matching these with commonly used passwords, they are likely to gain access to at least one account to start their infiltration of an organization.
  • Brute force: This type of account takeover attack involves an attacker using a tool making automated login attempts, often to an API endpoint, trying as many passwords as possible against a single username until a match is found.

Why are these so prevalent?

Unfortunately, there are individual and organizational practices that make it easy for attackers to be successful.

Individual users have lax security hygiene either from lack of security awareness or simply from security fatigue. It’s hard to blame them, the number of credentials in their life keeps skyrocketing, with conflicting requirements on complexity and lifetime, which leads to password reuse and saving of passwords in spreadsheets and notes.

On the organizational side, many systems still lack strong multi-factor authentication (MFA). This may stem from a lack of funding, awareness and competing priorities, but MFA is often just hard to implement due to legacy issues both with how the back end systems handle authentication and what tools are used to access them, such as old email clients that don’t support modern authentication protocols.

What can be done about it?

It’s never been easier or cheaper for hackers to run attacks leading to account takeovers. And these breaches are getting more and more costly for the organizations that suffer them.

Fortunately, Okta can help. We provide the tools and technology to empower organizations with better ID security for their employees, contractors, contingent workers, partners, and even end users and customers.

Single-Sign On to Everything

First, having a single Identity Provider handling all authentication requests is not only great for IT efficiency and agility, but it has tremendous security benefits that are often underappreciated. A consistent authentication policy allows MFA to be applied to all access and every system – even legacy on-premise systems with Okta Access Gateway. It also makes security event monitoring far easier to achieve when all access attempts are tracked in a single system.

Strong Multi-factor Authentication options

MFA is key to defending against identity attacks, but one MFA size doesn’t fit all. The authentication needs and threat model of consumers accessing a website are very different from your system administrator or CFO accessing critical infrastructure or finance data. That’s why Okta supports a wide variety of authenticators from Okta Verify with Push apps to modern Security Keys to Voice & SMS and even legacy hardware authenticators.

Risk Based Authentication

Like a fingerprint, each user has their own unique behavioral pattern made up of everything from location to device to IP address. Okta uses this login attempt contextual data – a behavioral fingerprint – to calculate a risk score. Once the risk engine determines the risk level, your organization’s policies can either prompt the user to authenticate with the appropriate factor, deny them access – or even provide them a passwordless experience leveraging modern Webauthn external Security Keys or platform authenticators built into devices like laptops and phones.


Okta’s Risk-Based sign-on policies and MFA protect organizations leveraging modern authentication. Some applications may still use legacy protocols that don’t support MFA, such as old email clients accessing O365. To block attacks against these systems customers have been able to create custom blacklists based on locations or IP addresses.

To make this more flexible and powerful, Okta introduced ThreatInsight, an automated detection and response tool that analyzes authentication attempts across all Okta customers to detect password spray and brute force attacks. It identifies IPs that are involved in attacks, marks them as risky and allows you to block them. When a login request occurs, it’s checked against the list of risky IPs—and if it doesn’t match, it goes through the usual sign-on policy evaluation.

Piecing it all together

  • Defending your organization against current and future identity attacks is no easy feat, but using the Okta capabilities outlined above are a great start. In addition, there are other small steps you can take to get started.
  • If you’re using modern authentication and authorization protocols, deploy the right multi-factor authentication (MFA) factors for your user population.
  • Actively stop users from selecting common passwords. Okta administrators can simply check a box to automatically block users from picking any of the 100,000 most common passwords.
  • Increase end-user security awareness by getting them to download Okta’s PassProtect Chrome extension to see in real-time if the password they’re typing in any website has been breached at any point.
  • If your organization still allows legacy protocols like POP and IMAP in Office365, make a plan to retire them. Once you do this, you can enable the strongest and most reliable security features—protecting your organization and its users from costly and unsettling attacks.

Learn more

To learn more about how you can protect your organization, check out the video session below from Oktane19, or read the 3 Things You Can Do to Prevent Account Takeovers.