How Identity-First Security Reduces the Impact and Effectiveness of Attacks
Part one of a multi-part series
“Identity is the perimeter of security.” I was introduced to this phrase in 2012 after my manager returned from a conference. He scrawled that phrase at the top of the whiteboard in his office, and there it stayed until I eventually moved on from that organization in late 2013. Though I had already spent seven years working in identity and access management by that time, the magnitude of that saying was mostly lost on me.
Ten years on, the phrase “identity is the perimeter of security” has only grown in accuracy and applicability. Our new CISO has evolved the saying: Identity isn’t the perimeter; it is the foundation of modern business.” Over the next several weeks, the Okta on Okta blog will focus on exactly how an identity-first approach to security reduces the effectiveness of several common cybersecurity attacks. Here at Okta, we use a variety of platform features to improve both our security posture and the user experience needed to make high-strength multi-factor authentication (MFA) easy to manage.
Protection—Which credentials should I use?
For most organizations and users, any MFA is much better than more MFA, but not all MFA implementations are equally robust. Some methods of MFA are more susceptible to certain attack vectors, like SMS spoofing. As such, a successful MFA strategy is one that balances the strength of the multi-factor credential with ease of use. So, which credentials are the most resilient?
To help identity security professionals make the best decisions for their organizations, we can evaluate based on the three types of credentials—something you know, something you have, something you are— and by their method of operation. These methods are as follows:
- A device-bound credential cannot be moved to a different device without requiring re-enrollment.
- A phishing-resistant credential uses public-key cryptography to verify that the sign-on request from the resource is legitimate.
- A hardware-protected credential stores its keys and secrets in a secure enclave, the trusted platform module, or on a separate piece of hardware from the device being used for the sign-on even by the user.
- A credential that assures user presence demonstrates that the user is actually present during the logon process as part of the MFA process, such as through entering a pin or using a biometric to access a one-time passcode.
We can apply additional identity-centric security controls that make it very difficult for an attacker to attempt to enroll rogue credentials on an account. Fortunately, we apply defense in depth by specifying which authenticators on an account are sufficient for activating additional credentials. We do this here through a strong credential enrollment policy. Outside of limited scenarios (such as new account activation and credential enrollment), we require higher-assurance credentials—such as Okta Verify mobile—for new credential enrollment. This significantly heightens the difficulty of stealing the account.
We can balance user experience and security by tailoring the sign-on assurance requirements to the sensitivity of the activity being performed and the resource being accessed. As mentioned above, we would want our new credential enrollment policy to require more than a password since a password alone is not device-bound, phishing-resistant, or hardware protected. Using SMS-based authentication may be fine for low-risk applications, but being device-bound and vulnerable to phishing could make it a poor choice for access to an administrative console. By scoping our MFA policies to the sensitivity of the resource being accessed, we can blend robust, identity-centric security with the best user experience available for every scenario.
For most people, the sign-on experience is the most visible component of identity management. It also introduces one of the weakest links in the cybersecurity chain: the password. I struggle to think of any advocate for the password these days. Passwords are over 60 years old and were never intended for the wide-scale use case of today’s digital landscape. Cybersecurity professionals resent how easy they are to steal or crack, and everyday users are often too fatigued to follow best practices around password complexity and uniqueness.
Naturally, this makes the password one of the most exploitable avenues used by cybercriminals. According to the 2022 Verizon Data Breach Investigations Report, nearly 70% of all security incidents globally can be traced to the theft of a credential (such as a password). So what can we do to reduce our exposure to this risk? Pound for pound, one of the most effective ways to harden your accounts against some of the most common and effective cybersecurity attacks is through multi-factor authentication (MFA).
Multi-factor authentication requires a user is to provide two or more different types of credentials at to sign in. These credentials are classified as either something you know (like a password), something you have (such as an authenticator app that provides one-time passcodes or hardware tokens), or something you are (using biometrics). Combining two of these authenticators as part of the sign-on experience greatly reduces the effectiveness of stealing a password since the password alone is no longer sufficient to access a resource.
Here at Okta, we use Okta FastPass to marry the strength and protection of multi-factor auth with a delightful, passwordless user experience. With Okta Verify installed and registered on the device, we have a possession factor. By enabling FastPass’ to use a platform-based biometric authenticator—such as FaceID, TouchID, or Windows Hello—FastPass also provides a biometric factor. Using Okta FastPass for strong authentication gives us a great user experience, saves time, and provides great security.
Mitigation—Credential Management Alerts
There are other attack vectors where an intruder may not need to steal your password or phone to access your account. Malware on a phone or laptop could be used by an attacker to allow them to remotely snoop on what someone is doing. Keyloggers can capture all keystrokes entered on an infected machine- including passwords. If a bad actor captures the password but finds it not sufficient to access a resource without an additional authentication factor, they are likely to attempt to use a stolen password to enroll their own.
This is a scenario where a small amount of communication can go a long way to helping keep users safe. Here at Okta, we use a platform feature that notifies users when changes to their security methods (their sign-on credentials, including those used for MFA) have been made. This feature ensures that users are promptly alerted to any changes on their accounts and given an immediate avenue to report a potential issue to their cybersecurity team if they didn’t make any of the reported changes themselves.
The “Report Suspicious Activity” button triggers several events through an Okta Workflow. In addition to alerting the cybersecurity team with a Pager Duty alert, the flow suspends the user’s account, so if it were compromised, the attacker would not be able to continue leveraging it. The Okta Workflow also fires calls to several critical systems to terminate any application sessions the user may have. This prevents the attacker from using an existing session in apps like Slack or Google Workspace while waiting for the application session to expire. Layering these platform capabilities helps keep Okta secure.
Learn more about the role that identity plays in the prevention of identity-based attacks in our latest white paper, Identity-Based Attacks.