OOkta already supports MFA. It is not a failure to provide it, it is failure on behalf of their customer(s) to implement it. As I noted above, MFA is a pain in the butt. Few people will tolerate taking the extra step. Most companies don’t want to put their employees through the hassle. Therefore it is seldom implemented.
Even 2-step authentication is hackable:
https://www.groovypost.com/unplugged/phisher-hacked-gmail-2-…
I’m not sure I made it clear, so I wanted to restate my concern.
I am not concerned that a company using Okta may have its password stolen like VEVO did. https://www.fastcompany.com/40469670/vevo-hack-breach
Frankly, that’s on them.
I’m more asking the question of how does Okta store and protect the information of its clients to ensure nobody can rob them of client passwords from the Okta side of the wall.
To address some other comments I’m this thread: If you are an Okta employee - using two way authentification would not be a question of convenience, rather, a requirement of employment to protect your clients information.
Digressing, I’m concerned about a zero day event in the Okta environment where whatever security / storage solution Okta uses is breached.
I am also perfectly happy if they never publically provide details about what they use as hackers scan LinkedIn, conference PPTs, etc in order to glean situational awareness to know what to breach.
I personally do not use a central password manager in my phone because of the concern that database may one day be breached and all my eggs are cracked. Similar to stocks, maybe not all eggs in one basket?
Finally, I want to say that Okta is founder ran and as Saul astutely points out, has a certain pride in product given their rejection of takeovers. That gives me some comfort in the fact that the greatest threat - an insider threat - seems hedged.
Just A Fool, long on OKTA because I’m long on convenience and solutions that make life easier. Sticking with a smaller position because of my perhaps misguided belief that centralization = fragility
I’d venture that virtually all authentication that rely on external credentials are hackable.
Multifaceted biometric security might be pretty hard to hack, like fingerprint and iris scan. But even with this, if you can somehow get past the human interface and the A/D converter in order to gain direct access to the digital stream it too would be hackable.
If we just set aside the whole computing arena for a moment and concentrate on protection from unauthorised entry it is clear that there are various barriers that can be erected that increase the degree of difficulty to penetrate the security. But, the point is that we still want authorised individuals to gain access to whatever we are trying to protect from everyone who is unauthorised. So long as access is required by some, there is no security measures that can’t be defeated given sufficient resources, time and motivation.
When it comes to IT security, there’s a lot of folks who agree with your comment: centralization = fragility.
But, in a reality I don’t think it’s even possible to centralize everything related to computing security. Perimeter access is what is addressed by UID/password and reducing the friction involved with this particular point of interface is what is addressed by Okta. All robust IT security systems do not rely only on this single point of failure (though it is a critical point).
Where I worked we had a separate IT security team that worked with all the other IT folks on security issues. Networks, applications, databases, file servers, virtually every aspect of the IT infrastructure was scrutinized for potential security issues. We purchased and implemented security s/w from numerous vendors and we internally built what we couldn’t buy (primarily access to export controlled information which is enormously complex especially when there are vendors all over the world working on product design, development and manufacturing).
Okta supports human user authentication and SSO (single sign-on). I do not know, but seriously doubt that they support machine to machine authentication, another bag of worms.
In other words, Okta functionality represents one aspect of a very complex security environment. It is not “the answer” for computing security. There is no single answer. Again, where I worked we did not rely solely on software controls for security. For example, Accounts Payable required that high dollar invoices could only be paid from an approval made from specific terminals which were kept in a locked room with keys that could not be duplicated. We employed a number of physical barriers and human security officers when it came to highly secure environments.
“One of the worst breaches we had (that was acknowledged) was when an IT guy working for HR downloaded tons of records to his PC and had it stolen out of the backseat of his car.”
This thread is reminding me of the Philip K. Dick novels I’ve been reading lately.
Just wanted to get some advice on OKTA. I have owned it since it was first recommended. Today was a wild day with the stock hitting an all time high of $61, only to bleed out to finish down around $51. That is a gigantic drop in the stock and wanted to know if I should just hold or add more to my position tomorrow morning (even if it is up in the morning should I add in the low $50s)?
Would love to hear what you think. Thanks!
-Scott