Okta advances device context features for Zero Trust security

In an era of increasingly sophisticated cyberthreats, organizations must operate on the premise that no user or device should be trusted by default. Every login attempt must be rigorously validated, including the secure state of the device requesting access.

One of the cornerstones of Zero Trust is understanding the context of devices and scrutinizing their attributes and behaviors to make informed access decisions. Device context can include many factors. For example:

  • Device type — Is it a mobile phone? Is the device managed or unmanaged?
  • Device compliance — Is the device running the latest security patches? Is it compliant with organizational policies?

By incorporating device context into your Identity security model, you can better assess risk and increase security against unauthorized access and potential breaches. Okta can help you with your Zero Trust approach to security by validating device attributes with Device Assurance.

Managing device security posture with Device Assurance

We designed Device Assurance to enhance security by ensuring the devices accessing your resources meet the security and compliance conditions you configure. Admins can write specific device compliance rules and integrate them into an application policy to ensure a secure device state before access is allowed.

By leveraging Okta FastPass, Okta collects operating system (OS) and third-party signals — such as those from endpoint security integrations — for evaluation as part of a Device Assurance policy. For example, a Device Assurance policy can ensure a specific OS version or security patch is installed before that device can access Okta-protected resources. 

Such device checks establish minimum requirements for devices with access to sensitive systems and applications. If a user is not in compliance with a required device attribute, the Okta Sign-in Widget provides remediation instructions.

Device signals are pulled and assessed when a user first establishes a single sign-on (SSO) session. Then, based on your service configurations, they’re re-evaluated each time a user opens a new application or re-authentication is required. These silent context checks can help facilitate the continued security of the devices in use and help mitigate the risk of session hijacking by detecting a potential attack and blocking access to downstream apps.

What’s new for Device Assurance

Okta is constantly looking to enrich Device Assurance with new signals and greater flexibility for Okta admins to configure the feature to meet their unique organizational needs. To that end, Okta is introducing several new enhancements.

Dynamic OS version policy option

If your organization needs to create a device check based on the OS version, admins can configure Device Assurance policies that can dynamically gate access based on the latest major OS versions. This way, admins won’t need to edit policies every time there’s a new major release.

 

Android Dynamic OS

 

When you turn this feature on, you can create an access rule requiring that the device on which access is requested have an OS version that is at least the latest supported major version. Okta adds new major OS versions and security patches when the OS vendors release them.

This feature is currently in Early Access and will be Generally Available later this year. It will be supported on Android, iOS, macOS, and Windows devices, with support for ChromeOS coming soon. For more information about configuring this setting, please refer to the product documentation.

Grace Period for Policy Compliance

If you gate access to an Okta-protected resource with Device Assurance, access will be denied to end users if conditions are not satisfied. A consequence is that end users can lose access to mission-critical applications at inopportune times. For example, OS updates can take weeks or even months to propagate to all devices, and a policy rule based on OS version would block access to any devices secured by this rule if they are not up-to-date. In scenarios like this, end users may need a chance to receive and then install that update.

Now in Early Access, admins can enable a configurable grace period that allows temporary access to Okta-protected resources while users self-remediate any non-compliant device attributes. This feature will be Generally Available later this year.

 

Device Assurance grace period

 

This grace period feature provides end users with access to essential resources during configurable timeframes in order to support self-remediation of device compliance issues while preventing lockouts due to external factors like delayed security patch releases. As a result, admins can spend less time unblocking end-users.

Android Zero Trust Integration for Device Assurance

Android is one of several major OS supported by Device Assurance. To expand the range of security posture signals available to customers, Okta has partnered with Android to integrate highly requested security posture settings into Device Assurance policies for Android. This enables more comprehensive device assessments and ensures Android devices meet stringent security standards during authentication. These additional Android signals will be available for Early Access later this fall.

 

Add device assurance policy for Android

 

Get started with Device Assurance

Understanding device context and controlling device access are essential components of a robust security strategy. Through Device Assurance, you can balance security with user experience by enabling compliance checks and supporting self-service remediation to help minimize any impact on productivity. Device Assurance and these new enhancements are available to all customers on Okta Identity Engine via Adaptive MFA or Adaptive SSO.

The collection of device signals is facilitated by FastPass, which can be enabled to be a phishing-resistant, passwordless authenticator and device posture provider. To learn more about how FastPass and Device Assurance work together, take a look at this technical whitepaper.

Okta’s Device Assurance aims to bolster security. To that end, Okta has a robust roadmap of enhancements to help ensure that only devices meeting specific security standards can access critical systems and data. So stay tuned for more.

Legal Disclaimer: Any products, features, functionalities, certifications, authorizations, or attestations referenced in this material that are not currently generally available or have not yet been obtained or are not currently maintained may not be delivered or obtained on time or at all. Product roadmaps do not represent a commitment, obligation or promise to deliver any product, feature, functionality, certification or attestation and you should not rely on them to make your purchase decisions.