Desktop MFA from Okta — Its time has come

The password has been much maligned since its creation, and deservedly so. Even Fernando Corbató, the MIT computer scientist who created the password, said it had become “kind of a nightmare.” However, Corbató could not have conceived of the hundreds of passwords we now use and the proliferation of complex rules to overcome the weakness of the knowledge-based authentication factor.

Multifactor authentication (MFA) has become the battle cry of the day, augmenting weak identity verification with much stronger factors such as one-time passcodes, biometrics, or physical tokens. Although not perfect, any other method of authentication is better than a password. 

Authentication to any application of value normally requires some type of additional verification to augment the password. Single sign-on (SSO) offerings automate the multifactor to improve the user experience. The flaw in MFA application access is that the access is often provisioned from an endpoint limited to password-based authentication. Think about it: We are providing strong authentication to an application from a computer that is secured with a password; an application that is strongly authenticated from a poorly authenticated device is vulnerable. And unfortunately, most devices are still protected primarily with a password.

Today, many of us have the opportunity to work remotely or in some hybrid arrangement. As a result, we have endpoints such as desktops, laptops, and other devices that can be located and accessed from anywhere in the world, all acting as potential points of malicious enterprise gateway access, especially if they're not being secured properly.

Security is but one consideration; usability is another. It is critical to balance having a strong security posture while ensuring workforce agility – or enabling easy and secure access to the applications employees need to do their work productively. Ease of use and convenience are as important considerations as security. A poor user experience results in innovative workarounds by employees—it’s the reality of needing to get work done.

To address the issue of password-based device authentication, Okta plans to introduce Okta Device Access.  Essentially, a device is just another touchpoint that a unified identity and access management solution can better secure. Traditionally, Okta has primarily helped customers secure access to applications and network-based resources, and while endpoint MFA was previously possible, it required partner solutions. Customers have been asking Okta if there is a better way to initiate authentication to the device and enable future application authentication from a more trusted endpoint posture.

The user experience that Okta Device Access envisions is relatively straightforward. Users can log into their enterprise-provisioned devices with their Okta credentials. The user will likely be prompted with a phishing-resistant MFA challenge. Ideally, passwordless authentication would be offered (but that’s a sermon for a different day). Now, once the user has strong authentication to the device, a single active session will be established. This extends SSO downstream to all of their resources so that users have access to their applications and any other services that they need during the rest of the workday. After the initial sign-in to their corporate devices, users would have that access without needing to sign in again. A user would only be prompted to reauthenticate if, for whatever reason, the risk level changes due to the security posture of the device changing or if required by a policy for access to an application.

The offering will be rolled out over several phases. First, there will be desktop MFA, which will challenge users on top of their local password, AD password, and/or whatever else they use. Users will also be able to sync local device passwords with their Okta passwords. As Okta Device Access matures, customers will have greater flexibility to enable passwordless Okta credentials, phishing-resistant factors, and seamless access for users to all their downstream resources and services to which they already have privileges and entitlements. As in all application access, additional challenges may be presented based on context and risk.

Essentially, Okta Device Access is the offering that we wanted all along. It has just taken a while to get there. The need to improve device posture and user experience has long existed. It is welcome news that Okta is introducing an offering to satisfy both requirements.

Message from the Sponsor

At Okta, our goal is to enable your workforce to safely access any resource, through any device, at every touch point throughout their workday. Stay tuned for more exciting updates to Okta Device Access. Want to learn more, please visit www.okta.com.