Rough notes from another Oktane20 session.
Roadmap: Security
Okta has been advancing Passwordless authentication for a while
2012 - Desktop SSO
2017 - PIV/Smartcard
2018 - Device Trust
2019 - Factor Sequencing & WebAuthn
2019 - Email Magic Link
ThreatInsight - GA 8mo ago
4000 orgs have enabled it so far
60% auto block suspicious IPs
13M suspiciious events detected in Feb 2020
HealthInsight - GA in Jan
personal security recommendations
actionable recommendations
dynamically updated
Okta focus in upcoming Identity Engine release (Q4 2020)
SIMPLIFY POLICY MGMT
- share policies between SaaS apps
- step-up auth requirements (eg use MFA) on critical sensitive data apps (instead of all or none)
Okta FastPass
- registers devices with a specific user
- checks context (network used, etc)
- can step-up auth requirements (eg use MFA) for use identified as high-rish
Authentication Assurance
- next evolution in Factor Sequencing
- set security outcomes desired
- can set diff policy for diff user classes or app classes (sensitivity, contractors allowed, etc)
- requirements can be based on login context
- allows passwordless auth
- define multiple factors
example: you can set FastPass passwordless policy on non-sensitive apps (team communications), but require Adaptive MFA on sensitive apps (HR, finances)
IMPROVE THREAT DETETION
- Threats are ever changing
- Even with MFA, can be bypassed by user, or getting hit by phishing attempt
- Compromised devices
Allowing custom MFA
Adopting FIDO2 - all browsers now supportd
more devices embedding FIDO2 capabilities
Risk Engine: Risk-based Auth for Okta Verify
- can prompt user to verify auth attempts in Verify app
ThreatInsight moving past bad-actor identification via IP.
Preventing unofficial email clients.
INCREASE END-USER SELF SERVICE
Focus on lowering help-desk requests. End users can now see recent sign-ins, and security events like account changes. Redesigning entire End User settings UI, can access from any device.
Exposing it via API, enterprise can wrap their own end-user settings app. Providing more flexible account manage. Can recover factors using other factors, instead of requiring IT support. (As opposed to the “security question” method.)
Allowing enrolling Verify factors on multiple devices (Apple Watch, phone, MacBook TouchID).