Achieve Enhanced Secure Authentication with Okta FastPass and CrowdStrike

Okta FastPass is a cryptographic, multi-factor authenticator that provides a frictionless, passwordless authentication experience to end users and peace of mind to IT and security administrators. Check out  A Deep Dive Into Okta FastPass to learn more about how FastPass works.

Step-up authentication with security signals from CrowdStrike 

Okta FastPass already provides an excellent authentication experience with strong phishing-resistant capabilities. It can also collect baseline security signals such as OS version and disk encryption to gate access to company resources when used with Device Assurance policies.

However, Okta is not an Endpoint Detection and Response / Extended Detection and Response (EDR/XDR)  company. CrowdStrike, a leading EDR/XDR vendor, has best-in-class products that detect device threats and anomalies. These companies focus on Endpoint Security. Okta customers who are also customers of CrowdStrike can now benefit from enabling CrowdStrike Falcon integration for FastPass.

Here are the benefits of using FastPass alongside CrowdStrike

• Enhanced threat detection during authentication
  • Administrators start by creating policies to prevent access to company resources from devices that do not meet their CrowdStrike security score requirements. When end users authenticate, FastPass collects signals from the CrowdStrike agent installed on the endpoint and sends them to the Okta server for policy evaluation. Access is denied if the score does not meet the organization’s security requirements.
• Monitor the intersection of security and access management
  • Leveraging CrowdStrike alongside FastPass simplifies monitoring the security posture of devices used for authentication from a single, centralized platform. CrowdStrike risk scores during authentication are stored in the Okta system log to help admins trace authentication events in their account and pipe the data to any automation or monitoring tools used in their organization. Admins can also search in the system log, as shown in the following screenshot

How does the integration work?

For the integration to work, users first need to email [email protected] to enable the integration. Then the CrowdStrike Falcon sensor (6.14 or higher) must be deployed to the same client device on which the desktop Okta Verify is installed. The CrowdStrike Falcon sensor is an agent responsible for collecting data to detect and respond to threats from the endpoint and transmitting threat data to the Falcon cloud platform for analysis. There, a Zero Trust Assessment (ZTA), a score between 0-100 (100 being most secure), will be calculated. Once a ZTA is estimated, that score in the “data.zta” file will be sent back to the sensor and stored locally on the host.

To enable CrowdStrike integration, the admin will need to add CrowdStrike integration from the admin console so the server can request Okta Verify to collect signals from the CrowdStrike Falcon sensor. The admin also needs to create or edit authentication policies that evaluate the trust signals collected by CrowdStrike during authentication.

Integrating Okta FastPass with CrowdStrike allows Okta FastPass to serve as a device posture integration layer between the Okta service and CrowdStrike, which has the CrowdStrike Falcon sensor running on end-user devices. Whenever a user wants access to a resource protected by an authentication policy requiring a CrowdStrike signal, Okta Verify captures the Zero Trust Assessment score calculated by CrowdStrike Falcon and sends it to the Okta server. The Okta server evaluates the score against the authentication policy based on Okta Expression Language (EL) and either allows or denies access to the resource.

Security considerations

• As part of CrowdStrike’s anti-tampering protections, the data.zta file can't be modified, deleted, or renamed as long as the sensor runs. Additionally, on Windows, Okta Verify always checks and ensures the sensor is running before reading the file.
• Crowdstrike guarantees the integrity of the data.zta file by signing the content in the cloud using its private key, and the Okta server verifies the signature using CrowdStrike’s public key.
• To prevent replay attacks, Crowdstrike embeds subjectKey in the JWT, and the Okta server uses that to bind to the device object. 

Expression Language

You can specify Okta Expression Language (EL) in the authentication policy so that the Okta server can evaluate the score collected from CrowdStrike to either allow or deny access to the resource.

CrowdStrike provides the following scores 

• ZTA Overall 
  • Security posture score as determined by OS/sensor signals
  • Most commonly used
• The OS signal score
• The sensor settings score

Example of Expression Language

device.provider.zta.os >= 90

device.provider.zta.overall >= 80

device.provider.zta.sensorConfig >= 90

Below is a screenshot of an app sign-on policy rule with custom expression

(Note: Numbers shown above are for illustration purposes only. Please set the appropriate risk score number that is desirable for your organization)

Take it for a test drive!

Watch the video demo below to see how the Okta FastPass and CrowdStrike integration works.

If you are a CrowdStrike and Okta customer, you can configure this Crowdstrike integration yourself and try it firsthand. Don’t forget to send us your ideas and suggestions for improvement! We would love to hear from you.