Customer Identity Cloud enhancements to prevent account takeover
Recapping features introduced under the Okta Secure Identity Commitment to safeguard our infrastructure, our customers, and our customers’ customers
Identity is under attack — by ransomware groups, nation-state actors, malicious insiders, and other cybercriminals — and, in recent years, it has emerged as the primary enterprise security entry point for all workforce and consumer applications.
Consequently, no security strategy or posture is complete without comprehensive safeguards against Identity threats.
As a leading independent Identity company, Okta takes this responsibility seriously. In February 2024 we launched the Okta Secure Identity Commitment to:
- Provide market-leading secure Identity products and services
- Harden our corporate infrastructure
- Champion customer best practices to help ensure they are best protected
- Elevate our industry to be more protected from Identity attacks
In this post, we want to take a moment to share some of the work our Product, Engineering, Security, and Business Technology teams have been doing to enhance the Okta Customer Identity Cloud — in particular, to secure:
- Our infrastructure
- Our customers
- Our customers’ customers
Securing our infrastructure
We recognize that our business continuity directly impacts our customers’ security and, more fundamentally, their ability to conduct business and serve their users.
Broadly, we hold all of our internal people, processes, and technology to the same rigorous security standards as our customer-facing products — emphasizing a holistic, inside-out approach to security.
Additionally, we’re accelerating our investments to further harden our ancillary (i.e., production-adjacent) and corporate systems. You can find a comprehensive list of publicly disclosed investments and activities in the Okta Secure Identity Commitment whitepaper.
Securing our customers
Administrative accounts are routinely targeted with account takeover (ATO) attacks, due to the elevated privileges associated with these roles.
To help safeguard against ATO attempts targeting privileged roles, we’ve introduced several new features.
Requiring MFA for all Auth0 Dashboard Admins
Multi-factor authentication (MFA) with strong secondary factors is a proven way to substantially strengthen defenses against ATO attempts, whether those attempts use known (i.e., stolen) credentials or brute-force techniques.
Previously, MFA was an optional requirement for Auth0 administrators, to avoid imposing incremental authentication friction for organizations comfortable operating without this layer of defense. However, in response to the evolving threat landscape, MFA is now mandatory for all admins with a username/password-based login or third-party social login.
Elevating security control and governance support with Auth0 Teams
Auth0 Teams is a platform to simplify the management of your tenants and tenant members while allowing for clearer visibility into the Auth0 dashboard. Diving a little more deeply, Auth0 Teams provides:
- Visibility into tenants with relevant details (region, tenant type, etc.)
- Visibility and control of tenant members (who has access to which tenant with what role)
- Ability to enforce Single Sign-On (SSO) with your own Identity provider for all team and tenant members’ access to Auth0
- Ability to restrict tenant creation on a given Team
- Ability to manage subscription and billing details (for self-service subscriptions)
With Auth0 Teams sitting on top of the tenant account membership, it’s the single point for visibility and control for a user to create, read, update, and delete any details within the tenant account membership.
ASN binding in the CIC admin portal
In response to more secure forms of authentication, adversaries are targeting session cookies as an alternative way to gain access to protected applications and environments.
Typically extracted from browsers via infostealers and other malware, or through adversary-in-the-middle attacks, session cookies are like golden tickets that allow cybercriminals to impersonate legitimate users without raising alerts. If an attacker steals a session cookie and injects it into their browser, they can often access the same session as the legitimate user for as long as the session remains active.
While session hijacking can be scaled somewhat, the approach is more likely to be used as part of a targeted attack against particular users (e.g., admins) in high-value organizations.
To help prevent hijacking of established sessions, Okta will automatically revoke an Okta Admin Console session if the ASN (Autonomous System Number) observed during an API or web request differs from the ASN recorded when the session was established.
When such a condition is met — whether a legitimate admin user changed locations (e.g., logged in at home and then reconnected from a coffee shop) or an attacker attempts to hijack a session — the legitimate admin user will be required to log in again.
Securing our customers’ customers
In a business-to-consumer (B2C) context, a successful ATO may provide an attacker with access to resources (e.g., loyalty points), privileges (e.g., ability to make purchases, especially of products in limited supply), and valuable demographic and personally identifiable information (PII).
In a business-to-business (B2B) context, a successful ATO could provide an attacker with access to highly sensitive data, resulting in a breach with severe regulatory and contractual penalties for the targeted organization. In extreme cases, compromising an account could lead to business disruption.
Unfortunately, poor security hygiene — especially in the form of simple, common, or reused passwords — means that many user accounts are vulnerable to automated password-based attacks.
Plus, securing customer identities — and the associated rights and privileges — doesn’t stop at authentication. If an attacker steals a session cookie and injects it into their browser, they can often access the same session as the legitimate user for as long as the session remains active.
To combat these threats, we’ve introduced a number of new security features within the Customer Identity Cloud.
Fourth Generation Bot Detection
Bot Detection, with Okta AI, has proven capable of filtering nearly 80% of bots targeting authentication systems. Importantly, these defensive capabilities are achieved without introducing unnecessary user friction — by carefully training and continually tuning the AI at the heart of Bot Detection, we can ensure human users are rarely presented with a CAPTCHA, preserving seamless experiences.
Plus, there’s considerable evidence that this efficacy is a very strong deterrent, as some of our largest customers saw their 90-day average of bot traffic drop by nearly 90% after enabling this Attack Protection feature. The latest version of Bot Detection incorporates third-party data to further improve its efficacy against bots.
Passkeys
Both B2B and B2C organizations are especially sensitive to friction in customer authentication flows, as unnecessary friction can adversely affect conversions and revenue.
Adaptive MFA and Step-up Authentication helped balance convenience and security, but passkeys have already proven to deliver a secure, convenient, and familiar user experience that surpasses the usability of other approaches in many ways.
Based on FIDO Alliance and World Wide Web Consortium (W3C) standards, passkeys replace passwords with cryptographic key pairs, making them phishing-resistant. They can be accessed (i.e., used) the same way users unlock their mobile devices — typically via biometrics or by entering the device access code.
With passkeys in the Okta Customer Identity Cloud, application builders and digital teams can reduce login friction and strengthen safeguards against ATOs.
Session management API
Passkeys are a significant step toward eliminating passwords and will help in the fight against account takeovers. However, as noted above, attackers today focus moreon session hijacking, a threat independent of authentication security.
Our new Session Management API empowers businesses and developers with greater control over the post-authentication experience for their end users by giving centralized access to the list and revocation of user sessions across applications. In the event that a business suspects a session has been hijacked, they can preemptively revoke the session — protecting their customers and organization.
Stay informed about the Okta Secure Identity Commitment
Okta is committed to being an industry leader in the fight against Identity-based attacks, and we will continue to evolve along with the technology and threat landscape.
To stay up-to-date with the latest developments and access additional resources — including an Identity security checklist — please visit the Okta Secure Identity Commitment landing page.
These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.