End-to-end phishing-resistant account updates with OAMP
In recent years, cyberattacks have increased significantly. Data breaches and phishing attacks have become common threats to individuals and businesses. According to the FBI’s Internet Crime Complaint Center, organizations lost $12.5 billion to cybercrime in 2023 alone, a nearly $10 billion increase from 2019.
With no current way to protect account recovery and authenticator enrollment from phishing attacks, we created a customizable solution to close these gaps and protect our customers.
We enforce two-factor authentication (2FA) assurance for enrolling and unenrolling authenticators. While this presents a solid layer of security, it still allows for the possibility of phishing.
Account recovery and self-service password operations are controlled via password policy rules. The current implementation allows for only limited assurance customization and, again, no way to ensure phishing resistance.
What is the Okta account management policy?
With all the customizations and capabilities of authentication policies, we thought, “Why not extend them to recovery and enrollment flows?” Okta has made many investments in increasing the customizability and security of authentication policies. Reusing these capabilities seemed like a no-brainer. Enter the Okta account management policy (OAMP).
We now allow administrators to define rules denying authenticator operations if policy constraints can’t be satisfied. Previously, administrators couldn’t explicitly deny authenticator enrollment or disenrollment through unmanaged devices or to users who didn’t satisfy custom assurance requirements.
We also leveraged and expanded on the existing Okta Expression Language (EL) to give administrators granular controls when defining rules. Current password policy rules can’t support custom EL expressions. With OAMP, you can allow account recovery from a managed device through a phishing-resistant authenticator like Okta FastPass.
Secure onboarding and recovery
Utilizing the newly added capabilities of the Okta EL, admins can customize different assurance constraints for different actions. For example, this EL expression — accessRequest.operation == ‘recover’ || accessRequest.operation == ‘unlockAccount’ — will only apply to operations that involve resetting a password or unlocking an account.
Now, it’s possible to securely onboard a new user by leveraging the ID verification option in OAMP, as seen with the new “Identity verification” option. An onboarding user will be asked to prove their identity with a valid government-issued ID and a liveness check selfie. This provides an extra level of assurance before a user onboards their account and enrolls authenticators.
Third-party vendors, such as Persona, can be configured within an Okta org and used in an OAMP rule to enforce user verification before any account or authenticator management operations. ID-proofing can also be extended for recovery use cases where users can be required to ID-proof before modifying their authenticators.
Enhanced security from day zero
Now that admins can securely verify users themselves from day zero, we can enforce strong security controls throughout their entire journey. With social engineering attacks on the rise, securing all flows with phishing resistance is crucial. Okta’s account management policy empowers admins to accomplish this.
Learn more about the Okta account management policy.
