How we went passwordless at Okta

Today, Okta’s CIO Alvina Antar announced that Okta has gone 100% passwordless for workforce apps. Every Okta resource in our tenant now uses passwordless, phishing-resistant authentication policies, representing a major elevation of our user experience and security posture. 

We officially reached this milestone on August 30th, when Okta on Okta rolled out the final set of application access policies to get us there. But crossing the finish line is just a small part of the story. Here’s a peek behind the curtain at how we undertook this effort.

The origins of our journey

The passwordless journey at Okta started in August 2021 with our own okta.okta.com tenant’s upgrade from Okta Classic to Okta Identity Engine (OIE). With that, we gained access to the “killer app” of OIE, Okta FastPass, giving us a new option for high-assurance, multi-factor authentication (MFA) with a single user interaction. 

We then partnered with our internal Okta Security team to assess our portfolio of applications and built new policies that included FastPass as an additional authenticator. Guided by Security’s assessment of each application, we aligned those apps to policies and authenticators that would provide the sufficient level of assurance commensurate to the sensitivity of each app’s data.

Measuring our progress and impact

As a data-driven company, we frequently measure the counts of authentication events, and the authenticators used for each event, to gauge adoption and impact. As we ironed out the kinks in our policies and responded to feedback on the user experience, the metrics began to normalize and we could start doing some analysis.

By June 2022, nearly a year after our switch to OIE, slightly more than half of all authentication events were using FastPass. In fact, nearly 75% of authentication events were using some form of passwordless technology, such as FastPass or WebAuthN. By comparing the total count of MFA authentications per month in Okta Classic to the new data we had collected, and the time for each transaction to complete, we calculated a time savings of over 7,700 person-hours per year — just from switching from traditional MFA to FastPass! If we factor the “cost” of each authentication event using average employee cost, we found that time savings to be worth over $470k for that first year.¹ 

But we didn’t stop there.

A bold challenge

In late 2022, shortly after we enabled phishing resistance on FastPass for our tenant, we challenged ourselves to eliminate passwords and non-phishing-resistant authenticators in our app policies by the end of 2023. This wasn’t an edict from above, issued in a vacuum; it was a deliberate, transformative effort spanning several internal orgs — Okta on Okta, Business Technology, Security, and our Workforce Identity Cloud (WIC) Product team — to identify which policy, process, and platform changes we would need to execute to accomplish this goal.

Though the scope was huge, the actual team needed to affect the change was surprisingly small — at least from our perspective as Okta on Okta admins. With guidance from our Security team, we began by assessing what efforts we could take to remove phishable factors from our existing policies without requiring platform changes. We then separated those “quick win” efforts from the new features we would need in the platform from our partners in WIC Product. 

Along the way, we tracked each authentication event to establish a baseline and to demonstrate the impact of the policy adjustments. As the year went on, we began seeing a clear trend in the data:

Those authentication policy modifications had the biggest impact in reducing our use of passwords. As we rolled them out, we made sure to frequently and clearly communicate with our users to keep them informed of how their sign-on experience would change, and to share any new behaviors or actions they would need to take to avoid disruption of their work. Our workforce was excited for the improved user experience, so user adoption and pushback were not an issue as part of this rollout.

The final stretch

As the above chart shows, we spent about three months in mid-2023 with our password usage seemingly stuck at 2% of all authentication events. Although we had enabled policy rules that ensured a phishing-resistant authenticator was required for every device type, there was one gap: unmanaged iOS. 

We wanted to ensure that even BYOD devices could support a phishing-resistant flow. So we helped WIC debug and test using real applications connected to their development environments to work out exactly what product changes within Okta Verify would be required to accomplish our goal. Once it was ready, we deployed it into production and closed the password gap. Now every single device and policy requires a phishing-resistant authenticator.

The journey continues

Though we are now 100% passwordless in our workforce app policies, we are turning our attention to the next phase in our journey: to fully remove passwords and even the option to use passwords in all scenarios in the Identity lifecycle here at Okta.

Soon, we plan to modify our application policies to fully remove passwords as an option for application sign-on, once that feature is available. Presently, we are testing multi-factor, passwordless sign-on flows on our workstations to remove the need for local user account authentication into MacOS and Windows. Instead, the goal is for everything to be governed by Okta and use a phishing-resistant credential. Finally, we intend to introduce a method to securely bootstrap a new user into our tenant and their workstation using a preconfigured, phishing-resistant authenticator as new employees join and set up their accounts at onboarding. Look out for more information on each of these efforts in future blog posts!

This initiative truly took a village, and highlights what Okta can do when Business Technology, Okta on Okta, Security, and Product all collaborate to raise the bar on security.

If you would like to have a conversation with Okta on Okta about our journey in more detail, please reach out to your field team representative to schedule a session with us. 

Any unreleased products, features or functionality referenced in this blog that are not currently available, may not be delivered on time or at all. Product roadmaps do not represent a commitment, obligation or promise to deliver any product, feature or functionality, and customers should not rely on them to make purchase decisions.

¹Values derived from 60-day analysis of all authentication events in the okta.okta.com org from 05/01/22-06/30/22 and extrapolated for the year following the August 2021 OIE/FastPass release in okta.okta.com.