What is Public Key Pinning? Normally, traffic between a client application and its server-side relies on Public Key Infrastructure (PKI). While this mechanism is sufficient for most internet traffic, the Okta Secure Identity Commitment requires us to consider advanced, persistent, targeted attackers, even including nation state-level actors. Okta uses PKI and TLS as a baseline for all communication between services, including Okta Verify. In advanced attack scenarios, however, a public certificate outside Okta’s control could be compromised and accepted by a device’s operating system or explicitly trusted by the user of that device. In such cases, a threat actor can then inspect and manipulate the traffic between Okta Verify and Okta’s server-side endpoints via an attacker-in-the-middle (AITM) attack, which causes a number of problems we’ll explain later. Public Key Pinning is a way to allow-list only the certificates expected by the client application, blocking all others. This means that even.