Let’s (finally) say goodbye to passwords


Finding the right authentication technology can be challenging. Companies strive for a solution that achieves the lowest risk of unauthorized access to their businesses' data, be that in the form of sensitive GDPR- and HIPAA-protected information or highly-confidential collateral stored in globally-distributed databases, without encumbering the end user. With threat actors targeting the weakest points of a company’s security — their people — this means investing in technologies that replace passwords with stronger, simpler user authentication.

Why move toward passwordless authentication?

For companies trying to deliver seamless and secure user-experiences, passwords are a real pain. Either they’re complex — and therefore difficult for employees and customers to remember — or they’re prime targets for nefarious hackers. Not only that, but remembering different login credentials across multiple apps and websites can be a huge headache for users, and strain IT teams with endless “lost password” resets...or worse, massive security risks.

According to Verizon’s 2017 Data Breach Investigations Report, 81% of all breaches used either stolen or weak passwords. In order to protect their employees and customers from credential phishing, password spraying, and brute force attacks, companies must rethink whether their password policies are sufficient to secure sensitive data. In fact, the best password is no password at all.

Learn more: Is passwordless authentication actually secure?

Authentication made safe with ThreatInsights

Over the past several years, we’ve invested in best-in-class security technologies and partnerships with other leading apps to protect our customers. With 4,350 customers and 5,500 partners in the Okta Integration Network, our incident response team can see and take again against threats and suspicious activity across that ecosystem.

We’re making these enhanced security insights available to customers through Okta’s new ThreatInsight functionality — threat intelligence curated by our incident response team. This allows our customers to better understand their own risk tolerance requirements and adapt their policies accordingly. Once they set policies that fit their needs, Okta automates the risk-based assessment and response, enabling IT teams to automatically step up authentication.

A new standard: contextual access management

Investing in best-of-breed security tools also meant building our device-based access controls and extending our adaptive authentication offerings. Contextual access management takes into account a number of context signals — such as location, device, and network — to determine the threat level of each request.

For instance, if a user attempts to authenticate from a recognized IP address, on a known device, and on the company’s corporate network, the user would be considered “low risk” — and the user would not be required to enter a password in order to log in. Instead, the user would be prompted for an alternate factor, such as Okta Verify Push. If the user was using an unmanaged (though known) device in a new location, they may be considered “moderate risk,” and be prompted both for a security question and a second factor, such as Okta Verify.

A comprehensive approach to security

“Okta’s new ThreatInsight and behavioral signals give us insight into every authentication attempt, helping us to simplify the user experience and more quickly take action if something appears amiss,” says Elias Oxendine IV, global director of IT security at the Brown-Forman Corporation, one of the largest American-owned distilled beverage companies. “With Okta, we can better protect the most important and often most vulnerable part of our security — our people.”

By blending context signals with this intelligence, Okta’s Adaptive MFA solution will be able to more effectively provide businesses with the seamless, simple authentication experience that companies have grown to depend on. We’ve also introduced Adaptive Single Sign-on (SSO), which provides a simple, secure authentication experience for users and integrates with third-party enterprise mobility management solutions, such as Airwatch or MobileIron, for device trust. With this combination of Adaptive SSO, MFA, and ThreatInsight, IT and app development teams can move toward a context-driven security approach — one that may eventually eliminate passwords after all.