How to Go Passwordless with Okta
Passwordless authentication is no longer a thing of the future. Solutions such as Apple Touch ID/Face ID and Windows Hello allow users to access their devices password-free, and mechanisms like fingerprint and card readers also provide a similar passwordless experience. Impressive as this may be, though, it’s wise not to rely solely on one factor for security—even one that’s far more secure than a password.
Consider a possession factor like your mobile phone, or a knowledge factor like a security question. Both of these offer more security than a simple password, but a phone can be lost, and security questions become a pain to remember. Simply put, it’s difficult to identify a single authentication factor that can be completely secure.
Leaving passwords behind is an important step towards better security and identity access management (IAM), but it’s even more important to strengthen authentication by taking into account the context of every login request.
Generally speaking, multi-factor authentication (MFA) is used today in conjunction with passwords, although this doesn’t necessarily have to be the case. We should be moving away from passwords. But, that doesn’t mean embracing a single alternative authentication factor. Instead, the answer lies in variations of other factors, combined with contextual access management, to ensure that logins are secure.
Okta’s Adaptive MFA and ThreatInsight
To reduce login friction while improving security and doing away with passwords, it’s important to examine the context of a login and modify authentication policies based on the login risk. Implemented correctly, contextual access management doesn’t just boost security—it actively improves the login experience for users. Okta’s Adaptive MFA and ThreatInsight work together to strike a balance between easy access and robust security. Here’s what happens when an Okta user tries to sign in:
- Adaptive MFA takes into account the user’s device, location, and network, and then determines the risk of the login request against a set of predefined policies. Unknown or new devices, networks, and locations are flagged as anomalous, giving administrators the option to take further action on these types of login behaviors. Okta can even take “impossible travel” into account. Should a user login from a new location that would have been impossible to reach given the previous login location, the event would be flagged. For instance, if a user logs in from France two hours after logging in from San Francisco, this would be identified as “impossible travel”. Based on this login attempt, Okta can grant access or prompt for an additional authentication factor.
Figure 1: Contextual access management
- ThreatInsight, meanwhile, analyzes real-time threat data gathered from multiple sources across the Okta Integration Network and further interrogates the conditions of a login request. As an example, ThreatInsight may flag an IP address because of risk signals seen across Okta’s global dataset. So, while a particular IP address might not seem particularly suspicious at first glance, access to aggregated data can result in threats being flagged that might otherwise be overlooked.
Figure 2: Use threat insights gathered from the Okta Integration Network to set risk-based authentication policies
Going Passwordless With Factor Sequencing
The combination of Adaptive MFA’s contextual awareness and the intelligence of ThreatInsight means organizations can securely configure a passwordless solution utilizing a variety of authentication factors. When threat levels are low, the login experience can be streamlined and users can be offered a simpler path to the data and apps they need. However, when the risk level associated with a login is high, additional authentication factors will be required. For example, an administrator might set the Okta Verify mobile app as the primary authentication factor. If the user logs in from a known location and device, Okta sends an authentication request via the app that the user accepts in order to gain access. However, if Adaptive MFA or ThreatInsight detect an anomaly that raises the risk level of the login request, Okta can prompt the user to also make use of a second authentication factor such as a U2F token.
It’s important for administrators to take the sliding scale of assurance into consideration when it comes to selecting a method of authentication and choosing factors. Context should be the guide, allowing for simpler login and improved usability whenever the situation allows for it. A knowledge factor, like a security question, is easy to use, but also less secure than a possession factor like U2F. With this in mind, it makes sense to opt for a simple possession factor when a user signs in from their usual network and location at head office, and reserve more secure factors for instances where a device, network, or location increases the risk level.
Figure 3: Sliding scale of assurance
Naturally, administrators also need to select factors in a way that makes sense given the company’s available technology. Using Okta Verify wouldn’t work unless everyone in the organization has access to a smartphone, for example, so it might be better in some instances to use another factor like an SMS OTP.
Okta and VMware Workspace ONE Deliver a Passwordless Experience
Taking a look at another passwordless (yet secure) IAM solution, Okta and VMware have partnered and
developed a solution for those who are running Workspace ONE and utilizing the Okta Identity Cloud.
VMware Workspace ONE is a digital workspace platform that combines best-in-class unified endpoint management capabilities with comprehensive device compliance and conditional access. The Okta Identity Cloud enables organizations to manage their extended enterprise users and helps them build personalized and secure customer-facing apps. Together, these two technologies enable customers to benefit from improved choice and flexibility as they provide employees with a central hub to access all the apps, services, and devices they need.
Thanks to this partnership, mutual customers can leverage their investment in both platforms and embrace an integrated solution, where for example, Workspace ONE provides the device context checks, while Okta delivers a consolidated user directory. This integration not only offers enhanced conditional access for greater security and compliance, but also improves usability with a consistent authentication experience for your end users.
Similar to Okta Adaptive MFA and ThreatInsight customers, Workspace ONE administrators can leverage the Okta integration to configure a secure and passwordless experience for their users, taking advantage of the contextual access management and threat intelligence services mentioned above.
The time has come to say goodbye to passwords. The future doesn’t lie in one particular alternative, however, but instead in a multitude of possible authentication factors that can be implemented depending on the context of a specific login. Thanks to MFA and contextual access management, it’s possible to reduce login friction and give users easy access to information while simultaneously improving security.
Okta is the leader in managing and securing identities for thousands of customers and millions of people. We take a comprehensive approach to security that spans our hiring practices, the architecture and development of the software that powers Okta, and the data center strategies and operations that enable the company to deliver a world-class service. In addition to product innovation and an award-winning customer support approach, Okta’s solution is backed by a world-class cybersecurity team that works around the clock to provide the most secure platform for their users and the information they are entrusted. We employ state of the art encryption key management to secure customer data. Protection of customer data is audited in accordance with GDPR, FedRAMP and NIST 800-53, HIPAA, and ISO 27001 requirements. The company protects user information for global organizations such as ENGIE, Eurostar, Scottish Gas Networks, and News Corp, as well as some of the most highly regulated, complex companies, including American Express, U.S. Department of Justice, and Nasdaq. Learn more at www.okta.com