Demo: Adaptive MFA
Transcript
Details
Presenter: So with that, let's take a quick look at the application set up from the administrator's perspective. I am logged in here as an administrator into the Okta portal. In our security menu, you set up the multifactor authentication for your organization by first selecting which factor types you want to enable. As mentioned, it's critical that you have a wide variety of tools. Different applications, different assurance levels within the applications may need a different user experience and a different factor experience. In this case, in this organization I have selected to support Okta verify including push notification and touch ID as well as some other authenticators that we'll show here in a moment because they are all part of the solution in this particular organizations use case.
Presenter: I can control how the actual enrollment into these factors is done. In this particular case, I have selected a different enrollment policy for different groups within my organization. As always, identity driven security allows you to tie the authenticator and factors, as well as the enrollment experience, directly into employees, and partners, and contractors, group memberships. So you can drive all of this to your normal workflows, whether it's mastered through workday or any other HR system or a mastered from active directory or any other source. This makes it very easy to set policies that make sense, that are easy to administer.
Presenter: For example, for my Okta system admins and other system administrators in my organization, I've selected to allow them Okta verify with push or strong U2F security keys as their factor experiences and I'm controlling the authentication enrollment by selecting that, and for the first time the user signs in to Okta when they are in the corporate network, they are enrolled in this. This way I can control a very secure enrollment experience and make sure that malicious actors are much less likely to be able to enroll into the multifactor even if they know the primary credential.
Presenter: Similarly, for my key employees in operations, I can do the same. I can select for example, I know that they have a lot of Windows 10 deployment. In that particular group, I enabled for them Windows, Hello, U2F, and Okta verify as options, and similarly, enroll them on their first sign on.
Presenter: Contrast that, for example, with sales teams that are distributed around the country and in this case I'm allowing them to use other authenticators. They don't have access to all the same critical data as operations, finance, engineering, and administrators would, but we still need to secure them. So for them, I'm recommending they use the Okta verify with push, but I'm also allowing them to enroll their phone numbers for voice call authentication and SMS authentication. Again, different assurance levels and we'll come back to what that means. This gives me greater stretchability on what the enrollment experience looks like and then the actual authentication is handled by that.
Presenter: Now, if I log off of here, we can take a look at what this experience looks like for a first time user. So, I will sign out from my administrator and let's log on to my demo organized session as one of the users who is part of the organization, but has not yet set up their authentication.
Presenter: We see here Beth Davis, she's in sales, and we see that she's not allowed to select here from the authenticators as a first time user. Let's set up the Okta verify and we'll see how easy and smooth that is. By clicking on the Okta verify setup, I'm going through the enrollment workflow. I'm selecting an iOS device here. I've already installed this on my device, so I'm going to the next step. We're presented here with a QR code.
Presenter: I will go ahead and open up the Okta verify app on my mobile device and let's switch to a view here where we can see this mobile device as I'm doing it. If I add this account, I am now activating the camera and by simply pointing it here at the screen, I am now enrolling this user into this flow. Successfully enrolled and we see that Okta verify is checked off here on the screen.
Presenter: Enrollment is that easy. We're now done, we can finish, we don't have to go set up the other factors and Beth was involved on the first log in that they did to the system and they now have access to their accounts and we can challenge that securely anytime that they need to do this. Beth can also self administer this and can choose to enroll into the other factors as appropriate. For example, she can select here to set up a text message or voice call for this particular use, as necessary.
Presenter: When they are then logging in for the next time, the actual challenge flow should be relatively straightforward. So, let's take a look at that. I'm now logged out again. Let's go back and log in as Beth Davis, put in the password, sign in, and since we're not in the corporate network, we're now ready to get the push notification. And let's take another look here on what this looks like from the end user device. If I'm here on the homepage when I sent the push notification, I see simply here on the top accept or deny the Okta login. I'm going to click here on the proof and that completes the automatic here on the browser and they are logged in. It is really that simple.
Presenter: Now, if I can go back to the administrator experience, we can take a look at the other critical security tools that we have available to us. So, I'm going to log out of here and go back into the Okta admin account that I had set up. Let me log onto that one. As an administrative user, I'm also involved in two strong authentication and so, let me prove that here from the admin device.
Presenter: And now, let's take a look at the administrative settings. Here in the admin panel, one of the key aspects of the security is of course then visibility into the events that happen. As we mentioned, one of the key aspects is we need to be able to take a look at these events here ourselves. So, let me go into the system log. This allows me to see these latest authentication events that we just had here and we can see our logins that we just looked at. We had a successful authentication of a user. I can drill into the details and I can expand it and see here, for example, that we had an Okta administrative log in, was done from this location where we're at. I see what version of the device we were using for the login. I can see all this detail.
Presenter: I can also drill in into historical transactions, select a specific time range, or search by users for success or failure. Great example of that, I can simply say, let's look at all of the outcomes where the transaction was a failure and I can sort all of my transaction history by that, and see that here we had an intellect credential log in attempt. I can see where that was. I can drill into the map and see that it was done here in the San Francisco Bay area and look at all the transaction details similarly. So, this alone gives you a great tool of looking into the actual event streams.
Presenter: And of course, like everything else in Okta, we also expose all of this in our APIs. This makes it easy for you to integrate all this data into your security operations workflows. If you're using a security analytics or SIM platform, you can ingest that into that. We have prebuilt integrations to our most common ones. Similarly, you can create any custom workflows based on these and say, for example, you can log these into a ticketing systems. So, if you have Service Now or any ticketing system, you can integrate this and create automatically tickets for suspicious activity, and then disposition them as necessary.
Presenter: Interesting factor that we can also do is if we see any kind of brute force attempts, we can also then mitigate them directly in here. Say for example, we've seen a lot of unusual activity from this IP address. I can simply add that into my blacklisting and this is all managed in our network zones, which is another key capability for protecting your enterprise and protecting your assets.
Presenter: So, let me take a look and see how this is actually handled. If I go into my network security settings, this is where I set up the zones that allow me to set up the policy. So for example, I control my authentication and enrollment policy by saying I registered my corporate networks that I have. All the network ranges and proxy ranges where my corporate IT assets are. I also can do temporary ones like I set up an event space and am now providing internet access there. I can set up a separate policy for those things. That's a great thing for trade show booth access where you want to limit the scope of what can be done from there.
Presenter: And then, you can set up dynamic lists. For example, I may know that I have no active users that are coming in from China or any other countries. We can create dynamic black lists where I can add countries or state level controls here and say that I, for example, want to block every access that I have from Myanmar and China because I've seen suspicious activity emanating from there. It's this easy to add them into the lists.
Presenter: Another factor here is the black list. With black lists I can essentially temporary or permanently block certain IP addresses from even getting into the authentication. This is great for slow burn, denial of service type attacks where certain users are being targeted for password guessing or rotating password attempts that may result in the accounts being temporary locked up. By creating temporary black lists, you can prevent that from happening because these all happen are evaluated before the authentication itself.
Presenter: So, by having this holistic framework, you can set up the authentication, you can set up the assurance level that you need, and this gives you great flexibility into managing the overall security.
Presenter: And even here as an administrator, it allows me to do a couple of interesting things. I can, for example, go back into my applications here as an administrator and since I'm an admin, I can edit my own settings and involve a new factor. Say, for example, I already have the verify mobile app set up, I can set up an optional U2F security key. This way, I may sometimes work in say a data center environment. In the data center cage, I can't bring my phone in there and there may be no cellular connection, but I still need access to my laptop, you know, to do my summary tasks. For that, I can enroll a security key and in this case what we can do is simply register a U2F key.
Presenter: These are available from many different vendors. Here, for example, I'm using one from Yubico and let's see if we can go ahead and enroll this into the flow. And I have now registered a U2F security key by simply plugging it into the laptop and tapping the little button on it. And now I have two authenticators available to me. So, the next time I log out of the system, if I do that right now and sign back in as the same administrative user, what the options are here, I can simply say here uptown admin and put in my password, and now on this sign in I'll have a choice. I can authenticate with a security key. I can certainly authenticate with Okta verify. Let me use the security here. I'll simply plug it into the USB, tap on the little button, and I'm authenticated into the application.
Presenter: Extremely helpful for the users to have these options and this gives a great low weight way for the administrators to set it up because there's no managing seed files, no shipping, and keeping track of the inventory. It's fully self service and the end users can use any U2F device from any vendor. Now, this concludes my quick demonstration of the key capabilities.
In this demo, we’ll review how to setup MFA for your organization and how to select authentication factors. You’ll see how easy it is to administer MFA and pilot the authentication process. We show both the admin and the end user experiences for both enrolling in authenticators as well as the challenge flow. Learn how to get visibility into recent authentication events via our system log, blacklist IP addresses, and integrate this all into your existing security workflows.