Contextual Access Management: Innovating Across SSO, Adaptive MFA and Mobility Management

Seamless and secure access— anywhere, any device, anytime for any user. It sounds simple, right?

Gone are the days when employees had a Windows desktop and authenticated with the corporate network to AD to get access to apps running in your datacentre. If users were outside the company, they were funneled in via the VPN.

It’s a challenge to provide seamless, secure access in today’s multi-vendor world where employees, customers and partners are accessing both on-prem and cloud services globally, 24x7, from any device. Combined with an increasing number of data breaches and cyber attacks — security is becoming infinitely more complex.

If you are at Oktane this year, you can catch a session with Okta’s Director of Product Management Alex Bovee and Planned Parenthood Federation of America’s CTO, Franklin Rosado: The Evolving Threat Landscape + Okta’s Security Products Roadmap, in which he’ll talk about this very subject. During the session, Rosado will note that security is getting more complicated than ever, but solutions need to be pragmatic. “More than ever, organisations need to think about context,” Rosado says of security. “Who is the user, what device are they using, where are they accessing from, when are they requesting access? This context can give you the data you need and of course you need a system with the intelligence necessary to rapidly process this context and make policy-driven access management decisions—confirm or deny access, or step-up security—in real-time.”

To tackle this problem, we’ve made a coordinated investment across our Single Sign-On (SSO), Adaptive MFA, and Mobility Management products resulting in the industry's most integrated, user-focused and vendor-neutral approach to contextual access management – all delivered as a 100% cloud-native service.

We’re the only vendor able to support contextual access management for devices running operating systems from Apple, Google and Microsoft. We’re not trying to get you to buy more operating systems – we just want you to be able to manage access across devices that run any of them. We support contextual access management across 5,000+ applications in our Okta Application Network. We love email, CRM and HR apps, but we aren’t trying to get you to buy more of ours – we just want you to be able to manage access across any app you need to make your business run. And all of this functionality is exposed via our platform. With our new API Access Management product, contextual access management can also be applied to APIs. So if you need to build a custom web or mobile app experience – and want to provide a contextually aware access management experience – you can do it on Okta.

Want to use only some of our products, and not others? We can do that too. We’ve developed an integrated administrative experience with incredible time to value and low operational costs across our three products – but we also integrate with alternative solutions. You can use Okta Mobility Management to distribute a certificate to establish device trust (like on a Mac) or you can have a third-party issue and deliver the certificate (like Active Directory for a Windows Device). Both will be recognised by the combination of our SSO and Adaptive MFA products when it comes to making an access decision based on device trust.

Simply denying access to untrusted devices would result in user backlash and a flooded helpdesk. This is why we’ve invested heavily in integrating across our products to deliver a simple and intuitive consumer experience that helps users understand why they’ve been denied access, and what they need to do to get productive.

Spanning all of our products is the most powerful, flexible policy engine on the planet (or in the cloud!). For example, you can set up one geolocation policy for the US and a separate one for Asia. With our competitors? It's just on network or off network.

Using SSO, Adaptive MFA and Mobility Management you can now enforce contextual access management decisions based on conditions such as user identity, device, location, IP reputation and time of day, while still delivering secure digital experiences that people love. And, you can establish fine-grain, flexible policies based on geolocation and different user populations. The specific updates we are announcing today to our products are below—but this is an area where you will continue to see us innovate over the quarters and years to come.

• Okta Single Sign-On: We’ve added security notifications for end-users to alert them when untrusted devices, anomalous behaviour, or logins from high risk IPs are detected. Okta SSO now supports device trust established by Okta Mobility Management or any third-party Certificate Authority. In addition, your IT team can leverage the powerful policy framework to make access decisions with protocol-level context, for example blocking email from the web, while still allowing access from the desktop or mobile app.

• Okta Adaptive MFA: We’ve expanded the power of the policy framework to incorporate additional risk context on which access management decisions can be made—including trusted devices, IP reputation, and geolocation context. We’ve also added email as second factor, and Okta Verify expands support for multiple third-party tokens, and integrates with Windows Hello.

• Okta Mobility Management: Okta Mobility Management adds Certificate Authority capability and the ability to distribute certificates to devices to establish device trust. Initial support will include Mac OS X devices, with support for iOS, Android, and Windows 10 later this year.