We’ve gone 100% passwordless for workforce apps
At Okta, we’re always looking for ways to strengthen our overall security posture. We’re also constantly striving to improve the experience for our total workforce of 7,000+ users. With those two goals in mind, I’m incredibly proud to announce that we’ve reached a major milestone: Every app and resource in our internal Okta tenant now uses passwordless, phishing-resistant authentication policies.
This transformational project began as an effort to more deeply understand our own products but quickly became something much bigger. Along the way, it strengthened our resistance to security threats, reduced friction for our employees, unlocked value for our business, and even inspired new features for our customers.
From early adoption to business mandate
Our passwordless journey began with an internal program we call Okta on Okta. It’s our dedicated initiative to proactively use our own products so we can help accelerate innovation and better advise our customers.
We had been a customer of our “Okta Classic” workforce product since its inception, and when we introduced Okta Identity Engine (OIE) in 2019 and Okta FastPass in 2020, we knew we had to be the first-and-best customer of these new offerings, too.
But as we began migrating to OIE and FastPass, we started seeing massive potential benefits beyond just early-adopter insights. Phishing resistance alone could have such a powerful, positive impact on our security posture that going passwordless became not just a nice-to-have but a business mandate.
There was another important factor motivating our journey at the time: the outbreak of COVID-19. Nearly overnight, our entire workforce went remote and global. Suddenly, our users were getting work done on devices and networks we didn’t control. Our attack surface grew substantially, and managing access became much more complex. Threat actors were taking note of the worldwide shift to remote work, too; the number of global phishing attacks surged 220% during the first peak of the pandemic, according to F5. Like organizations everywhere, we found ourselves wondering what more we could be doing to harden our security.
The clear answer was to integrate phishing-resistant factors across our landscape. And that meant going passwordless.
Unexpected challenges — and benefits
As our Senior Director of Okta on Okta, Jon Lehtinen, notes, we officially began our passwordless journey in August of 2021 by upgrading from Okta Classic to OIE. We were truly early adopters, the first customer to attempt this migration. So, we took our time, building up the infrastructure needed for pre-production testing and perfecting the choreography for the upgrade.
While this process took a bit longer than expected, it also gave us invaluable insights into our own products. Because of our firsthand experience, we were able to provide feedback directly to our Product and Engineering teams, who then built more self-service features into our upgrade process. Today, most migrations only take a few minutes to complete, offering customers a far better deployment experience.
As well as migrating to OIE and adopting Okta FastPass, we had to redefine our authentication policies to eliminate passwords. This required significant alignment between our Security and IT teams — organizations that can historically have different objectives. But these teams, joined by Product, collaborated on the strategy and design of the entire process, from policy definition to overall architecture. This partnership has evolved into a lasting relationship that we still benefit from today.
Over the past few months, as we approached the passwordless milestone, the impact on our business accelerated. By strengthening our phishing resistance and shrinking our attack surface, we’ve reduced the time and money spent responding to phishing threats.
But the real value of passwordless authentication extends even further. For example, passwords are expensive to support. By going passwordless, we’ve greatly reduced the cost of the help desk support associated with recovering and resetting them. In fact, by our own estimates, we saved over $470k in productivity in just one year after switching from traditional MFA to FastPass. And we’re not alone; Intermex Wire Transfer says that Okta helped them decrease service desk tickets related to password requests by 70%, contributing to $175,000 in savings per year. Other Okta customers have reported similar savings as they’ve reduced their reliance on passwords.
Eliminating passwords with Okta FastPass
Now, we’re looking ahead to the next phases of our journey. While we’ve gone 100% passwordless for access to resources protected by our okta.okta.com tenant, we aim to apply similar phishing-resistant, passwordless policies to desktop sign-on via our newly launched Okta Device Access.
We also envision new passwordless and phishing-resistant solutions for onboarding new employees, which will require new approaches to governance. Ideally, processes like provisioning and deprovisioning users, which can be mundane if not painful to manage, would be fully automated with a robust governance solution.
So would software rationalization. A recent report by Nexthinx found that nearly half of all software licenses go unused. Our own solution (Okta Identity Governance) gives customers a single pane of glass for all the software that runs their businesses, so they can automatically detect duplicative tech and easily reclaim unused licenses based on Okta's application usage data. Automating software provisioning and deprovisioning based on role-based access controls can result in significant software savings and increased compliance, as opposed to waiting until your annual software renewal to evaluate your usage.
Getting started on your own journey
For organizations looking to enhance their own phishing resistance by going passwordless, we’d recommend starting by embracing passwordless technologies for any new workforce applications you adopt moving forward. Then, over time, you can align your legacy apps with your new passwordless approach.
Conventional wisdom says that going passwordless is an unattainable goal. We’re proud to confirm that it’s not. While the journey is ongoing, it’s real, it’s here, and it’s ready.
Any unreleased products, features or functionality referenced in this blog that are not currently available, may not be delivered on time or at all. Product roadmaps do not represent a commitment, obligation or promise to deliver any product, feature or functionality, and customers should not rely on them to make purchase decisions.