In today’s evolving cybersecurity landscape, many businesses rely on Okta for identity and access management. While Okta offers significant advancements, including SSO and passwordless options, it still falls short of delivering true enterprise-wide passwordless access. This article explores the limitations of Okta’s approach and how you can extend its capabilities to eliminate passwords across all IT-managed applications, boosting both security and efficiency.
What You Will Learn
- Why Okta’s “less frequently used” password solution is not truly passwordless.
- The challenges of achieving passwordless access with Okta alone, especially for legacy and on-prem apps.
- The security and productivity risks of relying on partial passwordless solutions.
- How Octopus can extend your Okta investment to deliver enterprise-wide passwordless authentication.
- The business and security benefits of eliminating passwords across all IT-managed applications.
Okta’s “Less Frequently Used” Password
Your business made significant investments in Okta for the workforce. That makes sense; Okta is an innovator in cloud IAM and SSO. And while Okta also trumpets passwordless–and that’s a good thing–it is, unfortunately, at best, “less frequently used” passwords solution, not a true passwordless solution.
By adding Octopus to your Okta investment, you can achieve enterprise-wide passwordless.
Less used passwords doesn’t make you passwordless
Why isn’t Okta passwordless? The simple test for enterprise-wide passwordless is to answer the question: Do your workers know and use their directory passwords to access any IT-managed application or service? Passwordless means no passwords.
Okta users don’t use their directory passwords when accessing Okta SSO-compatible apps with Fastpass enabled or (sometimes) when logging on to Windows workstations. Aside from that, however, workers keep having to remember, type, and manage directory passwords for everything else.
If your business is like most successful enterprises, nearly half of your applications are still hosted on-prem (Bloomberg), and mostly require directory passwords to access them. So, while office productivity and SaaS web apps convert easily to Okta SSO, your vital business apps cannot easily be converted or updated to use Okta IDP or client-side certificate authentication.
Maintaining password-based access to these resources exposes your business to tangible, unnecessary security risks–and–it frustrates workers and hinders productivity while keeping IT tied up responding to password support issues.
Unfortunately, Okta’s customers are responsible for modernizing their infrastructure to Okta-compatible standards to achieve Okta passwordless. That is no small task for established businesses driving to a Zero-trust Identity posture.
Why Aren’t “Less Frequently Used” Passwords Good Enough?
SSO improves user experience. Making the first SSO login passwordless makes those accesses even better. However, SSO works with web apps, and enterprises run on more than subscribed SaaS apps, leaving users frustrated juggling different access methods – and old-fashioned passwords that routinely get phished.
For many enterprises, the most critical data resides on-prem and is ultimately the attacker’s destination. Leaving these areas exposed to access methods we know don’t work is like locking doors and leaving windows unlocked.
True, enterprise-wide passwordless pays security and business dividends
Password exploits and their close cousin, phishing, account for 90% of successful data breaches. That is why high-assurance authentication is the foundation of Zero-trust, and stopping those attack paths dramatically buys down security risk.
MITRE ATT&CK is the go-to toolkit for modeling the business’s threat exposure. In a single sweep, enterprise-wide passwordless mitigates many attacker techniques. In the ATT&CK Matrix for ICS analysis below, the red boxes highlight the techniques mitigated by passwordless MFA.
But the business payoffs extend beyond security. Users and IT Operations gain millions of quantifiable dollars by saving time and eliminating tedious work that goes away with passwords.
Partial Passwordless Misses Out on the Business Dividends
“Less frequently used” passwords are a step in the right direction, but can’t eliminate popular techniques available to attackers. But on the business side, partial solutions prevent IT from realizing the promise of passwordless – and MFA for that matter – namely; stronger, Zero-trust authentication across the workforce.
Password risks remain, users are still burdened with password management, and no IT Admin tasks get eliminated.
Real-world Challenges of Updating Apps
SaaS web apps have impacted businesses for the better, and they tend to convert easily to SSO since the vendor is responsible for delivering that feature. However, as mentioned before, nearly half of enterprise new software purchases deploy as self-managed on-prem. That doesn’t include your business’s custom R&D-developed apps for your one-of-a-kind business workflows, which are rarely compatible with Internet-based SSO.
Okta provides tools to help customers in the conversion process, including modules like Access Gateway and Advanced Server Access. Unfortunately, most Okta customers find the licensing, development cost, or buying connectors from vendors like Aquera too expensive, so leave those apps with passwords.
Here are two IT leaders recounting their challenges. Perhaps you are in the same situation and need less disruptive options:
Automotive Manufacturer
An automotive IT leader discussed the challenges of upgrading more than two thousand applications accumulated from decades of M&As and through organic growth in building their one-of-a-kind business. A dedicated development team sets aside an average of five days per app for SSO compatibility updates. Five days sounds fast, but at that rate, it will be 40 years before all the apps are SSO-compatible. In other words, it will never happen since the world will be different in 40 years.
Insurance industry
In another conversation, an insurance IT leader talked about how they spent the last few years converting their apps to Okta SSO. At this point, they have successfully converted one-third of all the apps, a big accomplishment. The next two-thirds will likely be more challenging to convert and will take longer than 2x the last few years.
Octopus Extends Okta Investments to Enterprise-wide Passwordless
Octopus extends Okta’s investment to enterprise-wide passwordless. With the Octopus, Okta customers can continue using Okta Verify, SSO, and Okta Universal Directory native capabilities while extending high-assurance passwordless MFA to every IT-managed application, network service, and system without redesign.
How Octopus works
The Octopus Authentication Platform is built around a patented feature known as Invisible Secret Rotation. The platform replaces the user’s Okta Universal Directory password entry with a machine-generated token that the Octopus manages and rotates. The user never knows that token or when it is rotated. Instead, users authenticate to Octopus using the stronger passwordless mechanism, including Okta Verify with biometrics or other passwordless methods like FIDO2 tokens or X.509 smartcards. Once the user has passed the high assurance authentication, the Octopus orchestrates access to user desktops and acts as a passwordless IDP to Okta SSO and unsupported password-based apps in the backend.
Ephemeral and Entropic Tokens
The Octopus tokens are rotated on predefined schedules, down to every successful access or on minutes, daily, weekly cycles, and on-demand by the administrator. Since the user never knows or types the token, it can be complex, up to 64 random machine-generated characters. However, because of the random nature of the token’s value, even short eight-character tokens are difficult to hack and too short-lived to be of value to an attacker.
Compatible Without Redesign
The Octopus machine-generated token approach is compatible with Okta, and with password apps, without the heavy lift of redesign. The token mechanism differs from Okta and other passwordless approaches that rely on client-side X.509 certificates. X.509 methods are not new; the US government moved to Personal Identity Verification (PIV) authentication in 2004. Two decades of effort later, enterprise-wide coverage eludes that program too.
Octopus is compatible with existing infrastructure. That means that you can use Octopus with Okta investments to achieve enterprise-wide passwordless coverage in days and weeks instead of months, years, or perhaps never, with the Okta-only approach.
To sum up:
Octopus plus Okta = 100% passwordless coverage with 0 change to your infrastructure.
UX Demos
Here are three demo videos to show you the Octopus passwordless user experience with Okta Verify and Okta Universal Directory (click each icon):
Summary
Every IT leader knows passwordless slashes the attack surface, makes workers and IT admins more productive, and pays business dividends. However, IAM vendors, including Okta, Ping, and Microsoft Entra, only deliver “less frequently used passwords”, which fall short of their enterprise-wide passwordless security and user experience goals.
By adding the Octopus, IT leaders get a fast and efficient method for extending their Okta investments to enterprise-wide passwordless without disrupting existing apps and systems.
Key takeaways
- Passwordless slashes the attack surface, delights the workforce, and pays quantifiable business dividends
- Okta FastPass works with SSO, but enterprises are so much more than web apps supported on SSO
- By adding Octopus to your Okta investments, user get the same Okta experience, but now passwordless enterprise-wide