{
    "componentChunkName": "component---src-templates-blog-blog-list-template-blog-list-template-js",
    "path": "/articles/5",
    "result": {"data":{"allContentfulSecOktaComBlogPost":{"nodes":[{"updatedAt":"2025-02-09T23:55:08.837Z","slug":"/seven-fewer-super-admins","node_locale":"en","date":"2024-09-02T00:00","secAuthor":[{"name":"Kalpana Adlakha","slug":"/hackers/kalpana-adlakha","jobTitle":"Senior Product Manager","id":"4fcb85f0-473e-57ff-b1d4-6f7dc8281c69","bio":{"bio":"Kalpana has worked in product management roles as numerous technology startups prior to joining Okta in 2022. Kalpana has built product capabilities that enhance and protect the administrative experience in the Okta Workforce Identity Cloud, including for delegated administration, custom admin roles and protected actions. "},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=58&h=58&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=29&h=29&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=58&h=58&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6dS0ZBKl6KfE5MZFgQgzLR/b01384c225380a07bdf6d09c3378af0b/kalpana.png?w=116&h=116&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#080808","width":58,"height":58}}},{"name":"Brett Winterford","slug":"brett-winterford","jobTitle":"VP, Okta Threat Intelligence","id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"<p>Brett Winterford is Vice President of Okta Threat Intelligence.  Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats.  Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. </br> Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.  Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#887808","width":58,"height":47}}}],"title":"Seven Ways to Reduce Super Admins in Okta","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"The first step in your journey to Zero Standing Privileges is to reduce the standing assignment of highly privileged roles."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past few months, Okta has made considerable progress in our quest to deliver zero standing privileges to  administrators of the Okta Platform.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we discussed in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/caseforzerostandingprivileges\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Part 1 of this blog series\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", Zero Standing Privileges takes the concept of “least privilege” access to the nth degree. We aim to deliver an operating model in which no interactive (human) user account has ongoing, permanent access to highly privileged administrative roles or permissions, which are instead granted on a just-in-time, time-bound basis when required. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This model of access dramatically reduces the attack surface for an organization. In the rare circumstance that an attacker gains unauthorized access to a user or service account, their ability to abuse this access is greatly diminished.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, the permissions in many administrative accounts tend to exist by inertia: a role was required for a given task at some point in time, but there has been no driver (or governance) in place to pare the permissions back to what the account requires on an ongoing basis. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we’ve \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/protectingadminsessions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"previously written\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the first step toward zero standing privileges is to identify the use cases your organization has for highly privileged roles. Some use cases, such as break glass accounts, require standing privileges. In other cases, a user performs an administrative task so frequently that it’s impractical to ask them to request permission every time they do it. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, if a permission is (a) attractive to an attacker and (b) rarely required and used intermittently, that is an ideal candidate for a custom admin role that is only available on a Just-in-Time (JIT), time-bound basis via Okta’s ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". (NB: The ability to govern Okta admin roles is a new capability, available to all Okta Workforce customers: talk to your Account Exec if you can’t find it in the console!)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As a first step, Okta created \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"specific permissions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for several such tasks or “jobs to be done” so that they can be assigned to a role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The use of specific permissions to create \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"custom admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" can dramatically reduce the number of accounts with standing access to highly privileged permissions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The next step is to use Okta’s governance features to restrict those rarely used and highly privileged permissions to an access request flow. Using these features, an administrative user must request and be approved via dual authorization to perform tasks that require a privileged permission. Once approved, the user can only use the permission for a set period of time before their account reverts to its standing role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this post, we’ll cover the first step in the process: identifying permissions that help to reduce the use of the most privileged role in Okta, the Super Administrator role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1 - JIT permission to modify an Identity Provider \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to create or modify a third party identity provider fits squarely into the category of a highly-privileged and intermittent administrative task. Until recently, this task required an account with a Super Administrator or Org Administrator role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So this task makes an ideal candidate use case for governing Okta admin roles. It’s especially prudent to lock down this permission given \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"adversarial interest\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in abusing trust relationships for impersonating users in downstream applications. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend creating a custom admin role scoped to the Manage Identity Providers permission (okta.identityProviders.manage) that is available on a JIT basis, subject to approval workflows, and which expires after a few hours.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Further, it’s good practice to turn on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"protected actions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to ensure that any Identity Provider lifecycle event (adding or modifying identity providers) will first trigger a step-up authentication challenge.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2 - JIT permission to modify AD/LDAP Agents\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"After initial setup of an Okta Org, administrators should not need to create or modify new directory agents frequently. If your org has enabled auto-updates for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/directory/agent-auto-update-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"AD agents\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/directory/ldap/agent-auto-update-ldap.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"LDAP agents\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", there is limited agent maintenance required via the Okta Admin Console or Management APIs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating or modifying agents has historically required an account with the Super Administrator role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You can avoid using Super Administrator by:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating a custom admin role scoped to the Manage Agent permission (okta.agents.manage),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/governance-admin-roles/ar-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access Request flow\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that provides this role on a JIT basis, subject to approval workflows, and which expires after a few hours,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assign a group of trusted administrators to request and approve this access.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Important: if you still use Active Directory, you reduce the number of service accounts that use the Super Administrator role (by at least 1!) by simply upgrading to Version 3.18 of the AD Agent. From Version 3.18, the AD Agent uses OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to communicate with Okta, and is no longer bound to a specific administrative user account.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3 - JIT permission to modify Workflows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s no-code automation tool, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/au/platform/workflows/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", is a powerful application and an addictive administrative experience for administrators that want to automate identity-related operations without writing code. Given the breadth of tasks an administrative user can automate with Workflows, creating and modifying a Workflow historically required the Super Administrator role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The great news is, you don’t need the Super Admin role for this any longer!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/wf/en-us/content/topics/workflows/access-control/access-control-get-started.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role-Based Access Control for Workflows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (now in Early Access) provides a choice of three distinct roles scoped exclusively to the Workflows app. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Administrator\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is assigned within the Okta Admin Console, and provides administration capabilities within Workflows. This role can be requestable using Okta's ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Connection Manager\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is a permission assigned within Okta Workflows, and grants the ability to create or modify connections. This is useful for any service accounts required to authorize connections.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Workflows Auditor\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" is a permission assigned within Okta Workflows, that grants “read only” permissions to view everything in Okta Workflows, but no ability to modify anything.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we’re on the subject, the Authentication Policy for the Workflows app should be at least as strong as what is required for access to the Okta Admin Console.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A least privilege approach to Workflows would be to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create and test Workflows in your Preview or Test Org\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once the flow is ready for prime time, export it as a .flow or .folder file\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Request JIT access to the Workflows Administrator role using govern Okta admin roles in the production org \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Import the .flow or .folder file and configure any required connections\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ensure that your production Workflows app has only been granted the OAuth scopes that your flows require.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4 - A Custom Admin Role to manage Access Requests\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/au/products/identity-governance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" provides simple, convenient tools for taking the complexity out of tasks like managing user requests to access applications and running scheduled user access reviews (access certifications) as a layer of governance over that access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From a security perspective, the ability to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"create\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" access requests flows and modify their conditions is a fairly privileged affair. Out of the box, an Okta Org has a choice of two roles that can do this:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A user with the Super Administrator role, or\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A user with the Access Request Admin role \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"and\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" the Application Admin role for the application the flow provides access to. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Creating a Custom Admin Role for the second option gives you everything you need to create and modify access requests, without the excessive permissions of a Super Administrator. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The one exception to this is if you’re using Access Requests to govern access to Okta Admin Roles, as opposed to user roles in downstream applications. This is where things start to get a bit \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"meta\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\". If as an administrator I have the ability to set the conditions via which a user can request access to a role with administrative permissions, I effectively have the same level of privileges as an administrator that can grant privileges directly. So to create and modify access requests for Okta admin roles, I must be a Super Administrator. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5 - Delegated Permission to Read or Invoke Workflows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More good news: you also no longer need Super Administrator permissions or Workflows RBAC permissions to simply invoke (run) a Workflow in Okta. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An administrator with lower permissions can invoke (run) a flow using a feature called \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/wf/en-us/content/topics/workflows/access-control/access-control-permission-changes.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"delegated flows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Using this feature, service desk personnel can be granted permission to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/wf/en-us/content/topics/workflows/execute/run-delegated-flow.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"start\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" a specific flow using their limited access to the Okta Admin Console, without accessing the Workflows app directly. Service desk personnel won’t be able to modify or even view a flow assigned to them, but they can interact with it under whatever constraints you design. You can probably imagine any number of other use cases for this outside the Service Desk too.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6 - Use API Service Integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Another way to avoid the use of the Super Administrator role is to embrace \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/build-api-integration/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Integrations\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", especially for security use cases.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using API Service Integrations, access doesn’t require the role of a highly privileged service account created by a user. API Service Integrations access Okta APIs in the context of an application using the OAuth 2.0 Client Credentials flow. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/blog/2023/04/24/api-integrations\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"several reasons\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" why this delivers a stronger security outcome. Each access token enables the bearer to perform specific actions on specific Okta endpoints, instead of whatever actions are available under a role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You can generally judge a security vendor’s commitment to least privileges by whether they have an API Service Integration available. We’d like to give a big hat tip to Sysdig, Datadog, Kandji, Palo Alto, Elastic, Wiz and others that made this commitment good and early! \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"7 - Delegated Permission to Read Privileged Users\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given Okta’s commitment to least privilege access, an account with Super Administrator permissions is required to view or modify information about other Okta administrators. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As such, the standard Read Only Administrator role in Okta can view information on regular user accounts, but not information (such as assigned role, resource and permissions) about accounts with administrative permissions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As we mentioned above, third party security providers should use an OAuth-powered \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/build-api-integration/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Integration\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which sets permissions at the application context and does not require a service account. API Service Integrations provide numerous advantages when it comes to reducing the blast radius of a stolen API token, as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/blog/2023/09/25/oauth-api-tokens\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"this blog\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" neatly summarizes. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, you may have observed other third-party security tools (such as posture management or “ITDR” apps) request that Okta customers create a service account assigned with the Super Administrator role, use this account to create a static API token, and hand over the token to the third-party for ongoing access. This integration pattern often results in over-privileged accounts. And it really doesn’t need to be this way.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the vendor hasn’t built an API Service Integration and continues to insist on the use of static bearer tokens, you can more likely give the app a custom admin role and avoid using the Super Admin role. You might consider, for example, adding the identity and access management\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"permission (okta.iam.read) to the standard\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Read Only Administrator \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"role. The IAM permission provides read-only access to roles, resource sets, and admin assignments, without adding unnecessary attack surface.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next steps \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So we’ve now established that a large number of tasks no longer require the Super Administrator role. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, we continue to need Super Admin to assign administrative permissions or to modify administrator accounts. That makes the Super Administrator role itself a prime candidate for a time-bound role, available on-demand after more than one other user in a trusted group of administrators approve the access using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Your next task is to think about what \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"baseline\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" permissions you’ll give to groups of administrators at your organization. What are the tasks they perform so frequently, that it would be impractical to have to go through some form of access request every time? Don’t forget that you can bundle standard roles, custom roles and resources together to create a baseline role best suited to your organization’s structure and risk appetite.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In our next blog on identity governance, we’ll dive deeper into creating access requests using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/governance-admin-roles/govern-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"govern Okta admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" feature.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-02-10T00:13:13.630Z","slug":"caseforzerostandingprivileges","node_locale":"en","date":"2024-08-19T00:00","secAuthor":[{"name":"David Bradbury","slug":"david-bradbury","jobTitle":"Chief Security Officer","id":"87a8e5b7-da9e-56f7-95dc-37bd1aaee0d9","bio":{"bio":"<p>David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies. </p>\n\n<p>Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs. </p>\n\n<p>Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=15&h=23&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=29&h=44&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=58&h=87&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6TmzH9CPucdERKO5GNXf0y/9be194da88159d15d0faa88d84c5f70b/okta_062624_David_Bradbury_0819.jpg?w=116&h=174&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8d8","width":58,"height":87}}}],"title":"The Case for Zero Standing Privileges ","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Why privileged users need to embrace Just-In-Time role assignment."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The principle of least privilege is one of the best known laws of information security: and it’s often the most difficult to put into practice. The principle demands that a user should only be given access to the resources and permissions they require to complete their tasks, and no more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When I speak with peer CISOs they routinely state that they don’t have much trouble applying this principle to regular users, but they are still challenged when privileged access comes under scrutiny. Privileged Access Management (PAM) provides the seatbelt that makes it safe to grant privileged roles. Specifically, PAM addresses the risk posed by adversary access to administrator credentials by vaulting the passwords used for access to privileged resources. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"PAM has come a long way: in a former life we actually stored passwords on pieces of paper inside a physical vault! Vaulting software and services allows us to gate access to the credentials used for privileged access, and to require controls like step-up authentication and/or dual authorization before an administrator can “check out” the password. PAM can and should also offer an ability to automatically rotate a password after use by a human administrator.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today’s PAM solutions have served us well when it comes to securing access to privileged on-prem resources like databases and servers. However, they tend to fall short when a privileged resource, such as a non-federated, privileged account in a B2B SaaS app, is accessible via the public internet. The vaulting capability can ensure that only an authenticated and authorized user can check out the credential for that privileged account, but if that password is entered into a SaaS app via an interactive browser session, the PAM solution can do little to protect the password from being saved (inadvertently) in the user browser or intercepted by malware. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past 12 months, we have observed a number of attacks where the vaulting of a password wasn’t sufficient to prevent adversary access to administrative resources.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These risks arise because:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We are dealing with an Infostealer epidemic:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" The sheer size of the “combo lists” of stolen credential pairs and session tokens distributed on the internet today is staggering.  Most of the enterprise credentials caught up in these dumps were extracted by the personally-owned devices or the devices of temporary contractors - devices that were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"not\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" subject to endpoint protection controls. Any password submitted via the browser of a malware-compromised device is vulnerable to interception. (You could say that the security teams of today are paying the price for the surge in the use of personally-owned devices that arose during the pandemic).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attackers are targeting native/non-federated/local accounts\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": Attackers are wise to the challenge posed by user accounts protected by single sign-on (SSO) and multifactor authentication (MFA). We have observed an increase in the targeting of non-federated accounts that allow direct access to the SaaS application. Authentication policies for non-federated accounts are typically weaker than those federated with an SSO provider. Numerous high-profile attacks involve the same pattern over again: the password or long-lived session token for a privileged account is extracted from an unmanaged device using infostealer malware, and is often sold on or distributed to other attackers.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These risks can be mitigated if:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security teams have tools to discover unexpected local/non-federated paths of access into SaaS applications, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security teams can protect credentials with a cloud-native PAM that can auto-rotate credentials for SaaS applications after they are accessed by a human user.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has made it our mission to build the tools that mitigate these risks (see \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/au/products/privileged-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Privileged Access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/products/identity-security-posture-management/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identity Security Posture Management\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"). But as with any adversarial contest, “the enemy gets a vote” too: we should not expect their capabilities to stand still. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So every organization also needs to be thinking about how to reduce or limit the blast radius when attackers successfully take over a highly privileged account. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enter (near) zero standing privileges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nZero standing privileges takes the principle of least privileged access to the nth degree. As the words suggest, the idealized state is that a grand total of zero accounts have standing administrative permissions in applications. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I say “idealized” state because most systems are designed to have at least one interactive account with a\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"level of administrative privilege. Resiliency demands the use of a break glass account - a shared account that can be relied on if the accounts assigned to individual human administrators are inaccessible. So if we’re being pragmatic, our North Star should be to reduce standing privileges to “near zero”. The minimum goal should be to have fewer numbers of user and machine accounts with highly privileged roles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You won’t need to look very hard to find opportunities to downscope access. Large-scale studies have demonstrated the extent of the problem of over-privileged access: almost every user and machine account in the cloud is \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42_cloud-threat-report-vol6.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"granted permissions that lie unused [pdf]\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Microsoft’s research shows that \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://learn.microsoft.com/en-us/security/zero-trust/develop/overprivileged-permissions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"less than 10%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of permissions granted to Azure apps are ever used.  \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There is a role for everyone in the identity ecosystem to play in whittling those permissions down:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cloud service providers have a role to play in helping their most security-conscious customers pare back the privileges that come with standard/out-of-the-box roles. Okta has made progress on the number of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"granular permissions available\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to create custom admin roles, and more are on the way.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers of these services need to use custom admin roles to reduce the number of user and machine accounts with excessive permissions. Customers should also consider the myriad open source tools available for identifying excessive permissions in cloud infrastructure and applications, if not licensed Cloud Infrastructure Entitlement Management (CIEM) solutions.\\n\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Supporting zero standing privileges in the workforce\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nAs part of the Okta Secure Identity Commitment, Okta recently shipped \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2024/04/least-privilege-for-your-critical-identity-roles-introducing-govern-okta-admin-roles/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Govern Okta Admin Roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a license-free add-on for every customer of the Okta platform. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Govern Okta Admin Roles allows for the most privileged administrative roles and permissions \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"in Okta\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to be granted on a just-in-time basis. It’s built using some of the same tools our customers use to govern roles in third party applications (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/au/products/identity-governance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Access to Okta administrative roles can be configured to require dual authorisation, trigger customizable workflows, and be scheduled to expire after a specified time interval. My team recently recorded a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/watch?v=5vEXBdAxBfU&t=816s\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"live demo of this capability\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for the Risky Business podcast if you'd like to learn more.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I suggest taking a three-step approach to embracing this new capability:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Study what features your most privileged administrators use frequently. You are more than likely to find that the majority of permissions assigned to any given role are excessive. Work collectively to map out what baseline permissions are required for the roles in your organization.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Substitute standard roles for Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that only include the permissions your administrators require most frequently.  \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure access request and approval flows for the more privileged and less frequently used permissions, such that they are available on a JIT basis and protected by dual authorization. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In Part II of this blog series, we’ll unpack \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"which permissions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in Okta best meet the criteria for JIT access. \",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-02-10T00:14:20.398Z","slug":"/fastpasshardening","node_locale":"en","date":"2024-08-08T01:00","secAuthor":[{"name":"Johannes Stockmann","slug":"/hackers/johannes-stockmann","jobTitle":"Senior Software Architect","id":"8528ce08-133a-57ef-acc1-823b04af8cc3","bio":{"bio":"Johannes leads Okta's Zero-Trust architecture and its FastPass enterprise authenticator. Using feedback from small and large enterprise companies as well as security researchers, he is continuously working on making strong phishing resistant authentication available to everyone and in every scenario while also mitigating new attack patterns in a world without passwords. He is passionate about identity and security standards, and is active in the FIDO Alliance."},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/7wQGE40H11s37DZaw9OprP/d33bdbe4c1fe8340995e0949585aa810/js_profile.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#d8d8d8","width":58,"height":58}}},{"name":"Dan Post","slug":"dan-post","jobTitle":"VP, Development Engineering","id":"c235ce3a-92ed-529f-8c59-c8f845622414","bio":{"bio":"Dan is a VP of Engineering at Okta, focusing on Access Management in the Workforce Identity Cloud.  He joined Okta to make the world safer and more prosperous by mitigating the dangers of threat actors bypassing access restrictions through better technology, and ensuring end users are delighted by a frictionless, flexible experience of getting their work done instead of being sent through endless frustrating speed bumps.  Prior to Okta, Dan enjoyed a long career working as a leader and developer on a variety of products, from the metal up to the cloud."},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=15&h=14&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=29&h=28&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=58&h=55&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=116&h=110&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=58&h=55&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=15&h=14&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=29&h=28&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=58&h=55&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/BRLA6lxnpMPhu6417V1jh/728f80c09ee397529628653da15555ba/dp_lowres.jpeg?w=116&h=110&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8e8","width":58,"height":55.00000000000001}}},{"name":"Okta Product Security","slug":"product-security-team","jobTitle":"The artists formerly known as the REX (Research and Exploitation) team.","id":"180f95d6-983c-585e-ab25-442a52dbff38","bio":{"bio":"Okta Product Security, formerly known as the REX (Research and Exploitation) team."},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=58&h=58&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=29&h=29&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=58&h=58&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3xrOguKhVQ2NoNX2glBxze/397b30dd03c11f0bcdb96671b3010b37/Okta_Aura_CMYK_Black.png?w=116&h=116&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#080808","width":58,"height":58}}}],"title":"FastPass: The battle-hardened authenticator","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"A short history of hardening Okta FastPass."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has experienced strong growth in the enterprise market, with many customers drawn to the promise of protecting their workforce with phishing-resistant authentication. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass is the fastest growing authentication method in  Okta Workforce Identity. Our goal is for FastPass to be the most secure, usable, and deployable enterprise authenticator, and we are committed to maintaining a leadership position in protecting against the evolving threat landscape. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass delivers a simple passwordless user experience, including zero or one-touch biometric authentication on all major operating system platforms. Okta secures this experience with device-bound, phishing-resistant authentication and device posture enforcement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As more organizations go passwordless, Okta FastPass has benefited from the research of red teams commissioned by these customers to put the claimed security properties of FastPass to the test. Okta has also benefited from testing conducted by hundreds of researchers via a public bug bounty program. The Okta Verify client has been in scope for rewards for several years, with the FastPass method added in October 2023.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the reasons Okta offers public bug bounties is because very often, security research is a driver of product innovation. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this blog post, we summarize close to two years of FastPass innovations, many of which were driven by internal reviews conducted by Okta’s internal Product Security team, testing conducted by customer red teams, and from independent security researchers contributing to Okta’s public bug bounty programs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The goal throughout this journey has been to narrow the range of opportunities for an adversary that targets a user protected by FastPass.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Most research falls into one of the following categories: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing Enforcement of Phishing Resistance,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attacking Factor Enrollment and Recovery;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing User Verification;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Local Attacks on a Previously Compromised Device.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing Phishing Resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most popular phishing-resistant method of user sign-in requires an authenticator that won’t issue credentials to any other site than a trusted origin established during user enrollment. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using Okta FastPass, a user’s credential is cryptographically bound to a specific Okta Org (tenant). This binding mitigates the most common means by which user credentials get stolen: when users are tricked into sharing them via a malicious phishing site or some other form of social engineering. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As this \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2022/11/a-deep-dive-into-okta-fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"2022 deep dive\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on Okta FastPass explains, the methods (or probing schemes) by which any given operating system (Android, iOS, MacOS and Windows) can support phishing resistance varies. Okta’s first engineering challenge was how to deliver a consistent, phishing-resistant experience on all four major OS platforms and browsers. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Some of the most useful early research into FastPass identified how an attacker might exploit scenarios in which a probing scheme that supports phishing resistance would fall back to a scheme that doesn’t. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To trigger these conditions, attackers typically required human interaction: that is, these conditions could only be exploited if the attacker first convinced a user to perform a desired action.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In response, Okta introduced a policy configuration option that would only allow authentication requests from phishing-resistant flows and deny all others (see below).  \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4ZHu7dFJjv0auR0sK7RL6y\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, claims that phishing resistance can be “bypassed” tend to rely on a customer configuration in which phishing resistance is not enforced in policy. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attacking Factor Enrollment and Recovery\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The phishing resistance offered by FastPass eliminates the threat posed by a huge range of credential-based attacks. Naturally, we have observed security research shift to targeting enrollment and recovery flows, where phishing resistance cannot as easily be guaranteed. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The fundamental problem to solve was that the methods by which most users would verify their identity before enrolling a phishing-resistant factor were not themselves phishing resistant. This could be described as a “chicken and egg” problem.  \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At first, Okta solved this by requiring two factors of authentication to verify a user identity before enrolling another factor. With this step in place, adversaries would need to achieve a lot within the space of a few minutes: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convince a target to start (but not complete) a FastPass enrolment process, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convince the target to share their Okta credentials (or obtain credentials by other means, such as credential stuffing or phishing), \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Start their own FastPass enrollment (on an adversary device), and then \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Convince the target to accept a Push notification issued or share an OTP initiated by the attacker. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This set the bar for interaction with the target very high, but we could foresee scenarios in which voice calls or instant messaging services could be utilized to make the attack effective. Some customers used a combination of MFA enrolment policies and Workflows to account for these risks. Once again, ongoing security research drove Okta to further harden our enrollment process.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators can now make use of several \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/authenticators/require-phishing-resistant-authenticator.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing-resistant factor enrollment policy options\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". These include an ability to exclude low assurance factors from enrollment flows, or to require verification of a user’s identity via a phishing resistant factor before the user can enroll in any other new factor. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Additionally, organizations can now pre-enroll users in roaming FIDO2 security keys via \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/authenticators/onboard-with-preenrolled-yubikey.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s integration with Yubico\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and can also use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/eu/en-us/content/topics/end-user/ov-ios-add-acc-bluetooth.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"features in which FastPass can be installed on a new device\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" if it is within physical proximity of an existing registered device. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bypassing User Verification\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One reason signing in with FastPass is so “fast” is because the cryptographic relationship between a user device and the Okta service established at enrollment counts as a possession factor in an authentication flow. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the user can efficiently verify their identity to the device using an inherence factor (biometric) or knowledge factor (device passcode or PIN), they can subsequently satisfy two passwordless factors in 2-3 seconds.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Distinct from the conversation about whether an authentication method is phishing resistant, we must also account for how the user validates their identity to their device. User verification checks protect against local attacks in which an adversary gains physical access to a target’s device. If, for example, a user in a shared office doesn’t lock their device, and leaves it unattended, there needs to be a means of preventing a colleague from accessing resources on the absent user's behalf from the unattended device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The focus for security researchers has been how to force a user verification process to fallback from a biometric challenge to a verification method an attacker could more easily defeat. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To account for this, Okta’s policy engine considers FastPass as only a single (possession) factor of authentication if a biometric check fails or is abandoned by the user.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators can decide what methods of user verification meet their requirements for any given application. Authentication policies can be configured to require biometrics only, a choice of biometrics or PIN/passcodes, or to make user verification optional.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Local Attacks on Compromised Devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over two years in the market, security research (and the ongoing efforts of Okta’s engineering teams) have effectively isolated opportunities to attack FastPass down to a final remaining category: the abuse of a FastPass from a malware-compromised user device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are many perspectives on what role an Identity Provider can play in this scenario. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To be clear: Okta is not an endpoint security company, meaning there are limits to what an authenticator can do in the context of a compromised device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The same applies to FIDO2 authenticators, which offer similar qualities as FastPass. The \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-rd-20210525.html#fido-security-assumptions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"specifications for FIDO2\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (and its predecessors) state clearly that the security claims of phishing-resistant authentication should not be expected to withstand a malware-compromised host.  \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The applications involved in a FIDO operation can be relied on as “trustworthy agents of the user”, the alliance says, up until the point of malicious computation on the user’s device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“Malicious code privileged at the level of the trusted computing base can always violate [FIDO 2 security properties]”.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Arguably, if your authentication method can isolate attacker opportunities down to the compromise of a user endpoint, defenders are winning! \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But that’s not to say we shouldn’t all aim higher. At Okta, we love a challenge. This is an area where, once again, our response to security research is driving innovation in Okta products. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, Okta’s policy engine gives administrators the ability to restrict access to any given resource based on whether a device is registered, managed and/or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"demonstrating compliance with a security baseline\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the early days of testing these device management features, Okta’s internal testing revealed that a user with root access to a managed device could remove and transfer its non-hardware bound certificate to an unmanaged device. Similarly, session identifiers used to identify whether a mobile device was managed could also be accessed and replayed from an unmanaged device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Addressing these issues inspired several features that further expanded FastPass capabilities, including:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/devices/device-assurance.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device Assurance\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" checks for “jailbroken” or “rooted” devices. Today, Okta Identity Engine administrators can write policies that approve or deny access to a resource based on these checks. These checks are performed by FastPass.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass Silent Context Rechecks\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", through which a user session is terminated if a user accesses an application from a new device mid-session (assuming device context is evaluated in the authentication policy for that app.)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our next challenge is to ensure that FastPass can’t be invoked by malware running in a user context on a device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To date, Okta’s response has included:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"EDR/XDR Integrations\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" allow FastPass to check the security posture of an endpoint as evaluated by the customer’s choice of endpoint security tools at the point of authentication. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/authenticators/trusted-app-filters-for-fastpass.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trusted App Filters\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": an ability for administrators to allowlist a specific binary that is authorized to call the Okta Verify client.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Verify also includes self-tampering protection on supported platforms, to prevent reverse engineering and unauthorized modifications of Okta FastPass. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta's North Star is to ensure malware cannot compromise FastPass authentication without root access to the device.  \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Anticipating future attacks against FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has made great progress on hardening FastPass in a relatively short period of time using threat-informed product development. We are very grateful to the security researchers inside and out of Okta for helping get it there.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Still, we know threat actors will continue to innovate. Okta will continue to strive to compress the feedback loop between security research and product innovation.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Given recent investments Okta has made to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/protectingadminsessions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"constrain session tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/api.htm#editallowednetworkzones\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API tokens\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (by client or location), it’s prudent to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.linkedin.com/posts/andysteingruebl_fighting-cookie-theft-using-device-bound-activity-7211087871741419520-PfZP/?utm_source=share&utm_medium=member_desktop\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"anticipate\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that adversaries will see a need to again pivot to malware-based attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We hope this short history of FastPass hardening illustrates Okta’s determination to bring best-in-class security to phishing resistant, passwordless authentication. \",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-08T05:27:37.411Z","slug":"/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks","node_locale":"en","date":"2024-05-28T16:38:31+00:00","secAuthor":[{"name":"Okta","slug":"okta","jobTitle":"","id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"Detecting Cross-Origin Authentication Credential Stuffing Attacks","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. As part of our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers. In this case, we have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers. In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This post will assist you with investigating credential-stuffing attacks, as well as provide guidance in the “Recommended Actions” below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious Activity Period\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have observed suspicious activity that started on April 15. Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Events to Review:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"fcoa - Failed cross-origin authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"scoa - Successful cross-origin authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"pwd_leak - Someone attempted to login with a leaked password\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommended Actions\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. Refer to the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Event Type Codes\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for more information.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your tenant does not use cross-origin authentication, but `scoa` or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your tenant does use cross-origin authentication and either saw a spike of `scoa` events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a user password was compromised in a credential stuffing attack, the user’s credentials should be \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/database-connections/password-change\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"rotated immediately\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" out of an abundance of caution.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protecting your Tenant from Credential Stuffing Activity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below are our recommendations on how to best protect your users from credential-stuffing attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Longer-term solution:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enroll users in passwordless, phishing resistant authentication. We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Medium-term mitigations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent users from choosing weak passwords. Require a minimum of 12 characters and no parts of the user name. Block passwords found in the Common Password List. This can be done in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/database-connections/password-options\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"password policy\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require -Factor Authentication. Auth0 offers a variety of MFA options available on our B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Short-term mitigations:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For any tenant that does not use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/login/cross-origin-authentication\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"cross-origin authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", that endpoint can be disabled in the Auth0 Management Console to eliminate this attack vector. Refer to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/get-started/applications/set-up-cors#configure-cross-origin-authentication\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure Cross-Origin Resource Sharing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for more information.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Restrict permitted origins if cross-origin authentication is required.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/breached-password-detection#configure-breached-password-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"breached password detection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for your tenant, or ideally \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/breached-password-detection#detect-breaches-faster-with-credential-guard\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Guard\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" if it is supported in your current plan.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Breached password detection is available on our B2C Professional, B2B Professional, Startup, and Enterprise plans.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Guard is available as an add-on through an Enterprise plan.\",\"marks\":[],\"data\":{}}]}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you have an account with support available and need more information, you can reach out to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.auth0.com/tickets/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer Support\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and if you are on a free plan you can reach us via the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://community.auth0.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Community\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". For details on features and availability per plan, please visit our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/pricing\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"pricing page\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-02-09T23:45:08.431Z","slug":"/blockanonymizers","node_locale":"en","date":"2024-04-27T03:59:59+00:00","secAuthor":[{"name":"Moussa Diallo","slug":"moussa-diallo","jobTitle":"Sr Manager, Identity Threat Research","id":"2d0612d0-ea24-5a48-bed3-797e6306eea4","bio":{"bio":""},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=58&h=58&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=29&h=29&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=58&h=58&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/1uHU5vrZGhUcNFNAzgylU2/e92b96b2d85e5fb3c5da8a2c1695ddc9/md_profile.png?w=116&h=116&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#181818","width":58,"height":58}}},{"name":"Brett Winterford","slug":"brett-winterford","jobTitle":"VP, Okta Threat Intelligence","id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"<p>Brett Winterford is Vice President of Okta Threat Intelligence.  Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats.  Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. </br> Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.  Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#887808","width":58,"height":47}}}],"title":"How to Block Anonymizing Services using Okta","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From March 18, 2024 through to April 16, 2024, Duo Security and Cisco Talos \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"observed large-scale brute force attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" on multiple models of VPN devices.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From April 19, 2024 through to April 26, 2024, Okta’s Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In credential stuffing attacks, adversaries attempt to sign-in to online services using large lists of usernames and passwords obtained from previous data breaches of unrelated entities, or from phishing or malware campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What is the Tor Network?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tor (The Onion Router) provides its users a method of sending requests to web sites in which the originating source IP address of the request is obscured. Tor relies on the relay of messages across an overlay network of “onion routers”, each of which can only observe the IP of the preceding node and the next node in the communication. While Tor has legitimate uses, it is routinely used to conceal the real IP address of attackers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What are Residential Proxies?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Residential Proxies are networks of legitimate user devices that route traffic on behalf of a paid subscriber. Providers of residential proxies effectively rent access to route authentication requests through the computer, smartphone or router of a real user, and proxy traffic through the IP of these devices to anonymize the source of the traffic.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Residential Proxy providers don’t tend to advertise how they build these networks of real user devices. Sometimes a user device is enrolled in a proxy network because the user consciously chooses to download “proxyware” into their device in exchange for payment or something else of value. At other times, a user device is infected with malware without the user’s knowledge and becomes enrolled in what we would typically describe as a botnet. More recently, we have observed a large number of mobile devices used in proxy networks where the user has downloaded a mobile app developed using compromised SDKs (software development kits). Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.orangecyberdefense.com/be/blog/unveiling-the-depths-of-residential-proxies-providers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"informative summary\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by CERT Orange Cyberdefense and Sekoia.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Block it at the Edge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the key tenets of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is to champion customer security best practices. We are committed to raising the bar for default security features in our platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In February 2024, Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/allow-admins-to-detect-and-block-requests-from-anonymizers?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"released\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" a well-timed capability into the Okta Platform that detects and blocks requests from anonymizing services.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations that wish to deny access from specific anonymizers, and allowlist others, must first be licensed to use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Dynamic Zones\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\", which is included in the Adaptive MFA SKU). \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers using Auth0 should consider the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attack Protection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" Suite, and consider the other recommendations in the table below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modern Defenses, Built into the Identity Platform\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The unprecedented scale of these attacks has provided clear insights into the controls most effective against credential stuffing.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/threat-insight/configure-threatinsight.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", Okta’s built-in control against high volume attacks, blocks requests from IPs involved in large scale credential based attacks prior to authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The small percentage of customers where these suspicious requests proceeded to authentication shared similar configurations: The Org was nearly always running on the Okta Classic Engine, ThreatInsight was configured in Audit-only mode (not Log and Enforce mode), and Authentication policies permitted requests from anonymizing proxies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers using Okta Identity Engine that (a) enabled ThreatInsight in log and enforce mode and (b) deny access requests from anonymizing proxies were protected from these opportunistic accounts. These basic features are available in all Okta SKUs. Upgrading to Okta Identity Engine is free, often highly automated, and provides access to a range of features including \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/api/openapi/okta-management/management/tag/CAPTCHA/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CAPTCHA\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" challenges for risky sign-ins and passwordless authentication using Okta FastPass.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Broader Recommendations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend Okta customers practice defense in depth to mitigate the risk of account takeovers from credential stuffing attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommendation\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workforce Identity  and Customer Identity\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Embrace Passwordless \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"and \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2 WebAuthn\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Support \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/authenticate/database-connections/passkeys\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"PassKeys\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"as a preferred sign-in method\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent users from making poor password choices\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require 12 chars and no parts of username in \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Password Policy\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\". Block passwords found in \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/policies/configure-password-policies.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"common password list\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/breached-password-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Breached Password Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"or \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Guard\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" to prevent use of passwords known to have been breached in 3P sites\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce MFA on sign-in\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require MFA in Global Session Policies\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require MFA for Password Authentication flows\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"requests from locations where your organization does not operate\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network Zones\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" to block requests prior to authentication\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny access by location using a WAF or via the Country-based Access Control \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/customize/actions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Action\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"5. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny authentication requests from IPs with poor reputation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny requests made via anonymizing services via \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/network/about-dynamic-zones.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Network Zones\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/threat-insight/configure-threatinsight.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" in \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"log and enforce \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"mode to deny attempts based on the volume and velocity of failed requests from an IP\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/api/openapi/okta-management/management/tag/CAPTCHA/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CAPTCHA\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" challenges on high risk logins\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/suspicious-ip-throttling\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspicious IP Throttling\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"to slow down login attempts from suspicious IPs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/bot-detection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bot Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"to present CAPTCHA challenges to requests from suspicious IPs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use 3P \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/customize/actions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0 Actions \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"integrations to check if an IP is associated with an anonymizing proxies \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"6.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor for and respond to anomalous sign-in behavior\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce per-user \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Account Lockout\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\". Exempt requests from devices that have successfully authenticated\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor for \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" events and rate limit violations \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://auth0.com/docs/secure/attack-protection/brute-force-protection\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Brute-force Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" to block and lockout accounts subject to persistent failed authentication requests \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor for sign-in events using invalid usernames/non-existent users and/or previously breached passwords\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"TTPs used in Recent Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Top 20 ASNs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Autonomous System Number\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Network Provider\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"53667 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FranTech Solutions\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"62744 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Quintex Alliance Consulting\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"60729 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stiftung Erneuerbare Freiheit\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1101\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SURF B.V.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"210558 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1337 Services GmbH\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"197540 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"netcup GmbH\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"16276 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OVH SAS\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"60404 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Liteserver\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"210644 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"AEZA INTERNATIONAL LTD\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"399532 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Layer LLC\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"200651 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FlokiNET ehf\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"44925\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1984 ehf\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"51396\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Pfcloud UG\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"4224 \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Calyx Institute\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"51852\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Private Layer INC\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"56655\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"TerraHost AS\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"36352\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"HostPapa\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"208323\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Foundation for Applied Privacy\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"63949\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Akamai Connected Cloud\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"41281\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"KeFF Networks Ltd\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Agent\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Relevant System Log Queries: The Okta Platform\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight has Detected Access Requests from IPs Associated with Suspicious Behavior\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspected Brute Force Attack (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/001/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.001\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason eq \\\"Login failures\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspected Credential Stuffing Attack (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/004/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.004\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Login failures with high unknown users count\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Suspected Password Spray Attack (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1110/003/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1110.003\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.threat.detected\\\" AND outcome.reason co \\\"Password Spray\\\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Targeted Brute Force Attack against a Specific Org\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.attack.start\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nRelevant System Log Queries: The Auth0 Platform\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed login request\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"f\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed login: Invalid username/email address\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"fu\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Failed login: Invalid password\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"fp\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Login attempt from a known leaked password\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"pwd_leak\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Signup (registration) attempt from a leaked password\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"signup_pwd_leak\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP address blocked: excessive failed login or registration requests without a successful login\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"limit_mu\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User account lockout: excessive failed login requests per time period from the same IP address\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"limit_sul\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP address blocked: excessive failed login attempts to a single user account\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"limit_wc\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T20:35:09.141Z","slug":"/articles/2024/04/why-cyber-heroes-need-zero-trust-caep","node_locale":"en","date":"2024-04-23T23:12:34+00:00","secAuthor":[{"name":"Stephen McDermid","slug":"stephen-mcdermid","jobTitle":"Regional CSO, EMEA","id":"4bd66bb8-bbb2-5ab6-895d-32c670d02166","bio":{"bio":"<p> </p><p>Stephen McDermid, CSO EMEA has led and been responsible for several enterprise-wide transformations ranging from National Government transformation projects to ISO27001 and PCI-DSS accreditation across multiple sites. He's taken his hands-on knowledge and expertise and used them to help organizations manage security across a broad range of disciplines and ensure senior stakeholders understand the risks and, more importantly, the opportunities available to their business. Stephen has worked with some of the largest organizations across military, banking, government, and enterprise sectors, to enable business transformation and growth. Stephen spends a lot of time on or near water, not just because of the rain; he holds a powerboat license and loves exploring the West Coast waters of Scotland.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=29&h=30&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=58&h=59&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=116&h=118&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=58&h=59&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=29&h=30&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=58&h=59&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=116&h=118&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#b8c8d8","width":58,"height":59}}}],"title":"Why Cyber-heroes need a Zero Trust CAEP!","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the modern digital landscape, where threats evolve and organizational perimeters extend into the cloud, maintaining a strong security posture requires more than static defense mechanisms. This is where the Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF) come into play.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At the recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.gartner.com/en/conferences/emea/identity-access-management-uk\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gartner Identity & Access Management Summit in London\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", Apoorva Deshpande, Okta Engineering Lead, along with other OpenID Foundation SSF Working Group members, demonstrated how these signals can be used as part of a Zero Trust approach to create policies in Okta to detect and prevent threats across technology platforms and data silos.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3MgaaQeTOtjG7mlyF5hTrG\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Wait, doesn’t my SIEM already do this?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The OpenID Foundation Shared Signals Framework (SSF) and Security Information and Event Management (SIEM) systems play very different roles in an organization's cybersecurity strategy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Information and Event Management (SIEM) systems play a crucial role in helping analysts detect, analyze and respond to cybersecurity threats. Analysts stream network, application and device logs to a SIEM for aggregation, correlation and alerting on known suspicious activity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Shared Signals Framework is a method for transmitting, receiving and aggregating risk signals between applications, creating opportunities for automated policy-based actions. SSF-based CAEP events specifically allow identity practitioners to configure an exchange of risk signals between IdPs and applications related to user and session risk. The events might still be logged in the SIEM, but CAEP allows for protective controls to swing into action before detective controls kick into gear.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SSF enables real time context with trusted partners, simplifying the security stack into a cohesive service that supports secure access across a broad range of technologies and platforms using Zero Trust security principles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The main differences are:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enhanced Interoperability and Integration: SSF facilitates direct, real-time communication between various security tools and platforms within an organization’s IT ecosystem, continuously communicating to thwart attackers lateral movement across services. This seamless integration can sometimes be more efficient than the centralized logging and analysis approach of SIEM systems, which may require complex configuration and integration efforts to achieve similar levels of interoperability.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Standardized Signaling: By standardizing the way security signals are shared and interpreted across different systems, SSF can enhance the overall effectiveness of security measures. SIEMs, while powerful for analysis and correlation, might not inherently standardize or streamline the communication protocols between disparate security solutions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Real-Time Adaptive Response: SSF enables security solutions to respond to threats in real-time by sharing signals about detected threats or anomalies instantly. This can allow for automated, immediate responses such as isolating a compromised endpoint. In contrast, SIEMs might excel in detection and alerting but can be slower to enact automated responses due to their reliance on central processing and analysis\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scalability and Efficiency: SSF's direct signaling between tools can reduce the complexity and overhead associated with aggregating and processing vast amounts of log data, as is common with SIEM systems. This can be particularly advantageous in highly dynamic or cloud-native environments where the volume and velocity of data can overwhelm traditional SIEM architectures, or require numerous collectors and connectors which incur lag and costs.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cost-Effectiveness: For startups and Small to Medium Enterprise organizations, implementing and maintaining a SIEM solution can be resource-intensive, requiring dedicated hardware, software, training and personnel. In contrast, an SSF approach, leveraging cloud services and APIs for integration and communication, might offer a more cost-effective solution for organizations looking to maximize their security efficiency and budgets.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s important to note that SSF and SIEM serve different needs within the cybersecurity ecosystem. In many cases, the most robust security posture would benefit from leveraging both SSF and SIEM capabilities, using SSF to enhance the real-time response and operational efficiency of the security infrastructure, and SIEM to provide deep analytical insights, historical data analysis, and compliance reporting.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How is Okta championing SSF and CAEP interoperability?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recently announced the Okta Secure Identity Commitment with one of the pillars being, Raising the bar for our Industry, and Okta believes in a collaborative approach to security. By actively participating in SSF standardization and demonstrating interoperability with key partners, we aim to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Boost security effectiveness: Sharing enriched threat data across different solutions empowers organizations to detect and respond to threats faster and more effectively.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Simplify security operations: Eliminating vendor lock-in and streamlining data exchange reduces complexity and operational overhead for security teams.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Accelerate innovation: Fostering an open ecosystem encourages innovation and the development of more advanced security solutions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Some key takeaways to consider when reviewing your identity strategy:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you evaluate user risk during sessions beyond initial access?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What challenges exist when correlating threat data across your security stack?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How quickly and proactively can you respond to emerging identity threats?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you apply the right authentication method for the data rather than one-for-all and how can you adopt adaptive authentication workflows?\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How open or closed is your identity ecosystem? \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/appsofthefuture\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Do your application vendors support CAEP/SSF\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"?\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T20:37:12.164Z","slug":"/articles/2024/04/okta-verify-vulnerability-disclosure-report-response-and-remediation","node_locale":"en","date":"2024-04-23T22:59:10+00:00","secAuthor":[{"name":"Okta","slug":"okta","jobTitle":"","id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":" Okta Verify Vulnerability Disclosure Report - Response and Remediation","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has confirmed and remediated a reported Okta Verify vulnerability. No action is needed by customers, and outside of the original proof of concept Okta did not identify any evidence of attempts to exploit this vulnerability. As part of our recent Okta Secure Identity Commitment, we are communicating this remediation to customers in the spirit of transparency.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Response\",\"marks\":[{\"type\":\"bold\"},{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On April 5th, Okta received a report from a researcher at Persistent Security of a potential vulnerability in Okta Verify that detailed bypassing phishing resistance checks. Upon receipt, we initiated our vulnerability disclosure process, and upon further investigation, it was discovered that an adversary could bypass the phishing-resistant property of Okta Verify FastPass given certain parameters.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On April 8th, Okta’s Engineering team successfully identified the root cause within Okta’s backend code and created a mitigation plan. It’s important to note that the root cause did not reside within the Okta Verify application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerability\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The details of the vulnerability are as follows.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In a phishing-resistant challenge involving a CUSTOM_URI and SSO Extension, if the user:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"only offers user verification or an approved consent prompt and additionally\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"the origin header is missing, the logic returns “true”, as the authorization intention was to approve transactions only if a user-approved consent accompanied the missing origin header.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, we incorrectly assumed that the presence of a missing origin header and an approved user verification (or approved consent prompt) was equal to a verified phishing resistance. To correct this, we have implemented an additional verification step to confirm that a valid origin header is present before then confirming phishing resistance. Going forward, this measure ensures that the transaction is valid and secure.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On April 9th, the fix was deployed to a development cell, and validated as effective. We then applied a hotfix to a production cell, and following an additional successful validation, the fix was rolled out to all remaining production cells on April 10th and to staging cells on April 11th. This hotfix remediated the vulnerability, with no customer follow-up action needed.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"That said, this reported vulnerability does highlight the importance of comprehensive threat models, as well as the role that manual testing can still play in developing secure components. Okta would like to thank Nikos Laleas and Giuseppe Trotta from the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.persistent-security.net/about-us\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Persistent Security Industries\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (PSI) Team for bringing this exploit to our attention, as well as their commitment to responsible disclosure.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Timeline\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 5, 2024 - Persistent Security contacts Okta with report\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 6, 2024 - Okta Security validates the findings\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 8, 2024 - Okta discovers root cause\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 9, 2024 - Okta deploys fix to development environment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 9, 2024 - Okta validates fix\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 10, 2024 - Fix deployed to Production\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apr 11, 2024 - Fix deployed to Preview\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-25T00:41:45.508Z","slug":"/articles/2024/04/defensive-domain-registration-mugs-game","node_locale":"en","date":"2024-04-03T16:49:17+00:00","secAuthor":[{"name":"John Murphy","slug":"john-murphy","jobTitle":"Manager, Defensive Cyber Operations (EMEA)","id":"b006f4e2-a177-55cd-a2ee-ff041e6ece35","bio":{"bio":"<p>John leads the EMEA node of Okta's Detection and Response Engineering team.</p>\n\n<p>His team develops detections and supplementary automations to protect Okta from threat actors, which in turn inform our rotational response and threat hunting missions.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#d8d8c8","width":58,"height":58}}}],"title":"Defensive Domain Registration is a Mug’s Game ","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Summary:\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" The time and effort spent on defensive domain registration would be better invested in writing phishing-resistant authentication policies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today I want to make the case that registering domains for the sole purpose of protecting against phishing is tackling the phishing problem from the wrong angle. It is, to use a very British idiom, a “mug’s game”: an effort that’s unlikely to yield much success. Most organizations register additional domains based on various permutations of their primary production domain. Sometimes domains are registered to deter potential competitors, and the registrations are aimed at protecting their brand from trademark infringement. Increasingly, we see organizations acquiring domains to deter attackers from registering domains used in social engineering campaigns.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once you get started on the latter, the pertinent question becomes how many permutations on your domain you’re willing to invest in. Where do you stop?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There is a stronger case to be made for registering key domains that help to catch emails gone awry (the inevitable “fat finger” errors). In the grand scheme of things, domains are cheap.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But once we start considering defensive domain registrations, the value of every subsequent registration diminishes. By using a tool like \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/elceef/dnstwist\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"dnstwist\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", you can very quickly see how big the game of whack-a-mole could be. With a 4 character domain name, dnstwist generates over 1000 domains. If you multiply this against additional brands and common phishing keywords (support, login, helpdesk, etc), the scope of the problem easily explodes by orders of magnitude.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Conservatively, registering all these domains could easily cost $100k+ per year. Even after you’ve expended this effort, adversaries can always always find yet more permutations of your domain (or the services your users are familiar with) that you haven’t considered. And at the end of the day, registering those domains hasn’t moved the security needle one bit: we have merely expended scarce budget on a few surmountable hurdles for an attacker to side-step.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Let’s just eliminate the phishing problem?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Writing in this blog, my colleagues and I have implored Okta customers to embrace phishing-resistant factors like Okta FastPass and FIDO2 WebAuthn, for a number of good reasons.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Preventative controls are nearly always far more desirable than compensating controls. FastPass or WebAuthn can essentially eliminate phishing attacks that target user authentication. The same can’t be said for defensive domain registrations. The TL;DR is that phishing resistant methods of authentication cannot be phished the same way legacy factors like passwords, and basic MFA (OTP, SMS, etc) can, because they are scoped - that is, authentication is cryptographically tied - to the origin. In other words, a phishing-resistant factor will never authenticate to a domain that it was not enrolled in, even if the user has been tricked into visiting a malicious site.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not only is this an effective security control, the user experience is far better than a password or any combination of legacy factors. As described in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/the-secure-sign-in-trends-report/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Sign-in Trends Report\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", phishing-resistant factors including FastPass and WebAuthn are;\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Faster to enroll\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Faster to use\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Fail less often\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Are not susceptible to brute-force attacks\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Inherently more secure (Phishing-resistant)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Able to satisfy multiple factor requirements with a single user action (Biometric + Possession)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How can I start using FastPass?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assuming you’re using Okta Identity Engine (OIE), FastPass is already available to you. If you’re still on Okta Classic, this is another great excuse to take the free upgrade to OIE.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Here are some resources I recommend to help you get started:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/devices/fp/fp-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass | Okta Docs\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper-fastpass-deployment-guide/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Becoming phishing resistant with Okta FastPass | Step-by-step guide\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.youtube.com/watch?v=7tv300TIWBs\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Going Password-less in Okta Identity Engine | Okta Demo Video\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/resources/webinar-oktas-journey-to-passwordless-phishing-resistance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s journey to passwordless & phishing-resistance | Oktane Video\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2022/10/the-need-for-phishing-resistant-multi-factor-authentication/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"How modern credential phishing attacks work: the adversary in the middle (Part 1) | Blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2022/11/a-deep-dive-into-okta-fastpass/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"A Deep Dive Into Okta FastPass (Part 2) | Blog\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper-fastpass-technical-whitepaper/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"FastPass | Technical Whitepaper\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If your Workforce org is licensed for Adaptive MFA, I’d also recommend this cheeky rule that packs a lot of punch. An attacker that has stolen user credentials and/or a session cookie will almost always sign in from a New Device and a New IP address. With \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/reference/okta-expression-language-in-identity-engine/#security-context\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Expression Langua\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/reference/okta-expression-language-in-identity-engine/#security-context\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ge\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we can force authentication attempts from New Devices and New IPs to prompt for phishing-resistant factors:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4V2FWuO0AT65orxInEGo9p\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6KS0Vi5RrCDQ3BuF7VO9Q\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Making all user authentication flows phishing-resistant should be the north star for user identity. And Okta isn’t the only team offering guidance on this. If you need some impartial evidence, try:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"National Institute of Standards and Technology (NIST) - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://csrc.nist.gov/pubs/sp/800/63/4/ipd\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Digital Identity Guidelines\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cybersecurity and Infrastructure Security Agency (CISA) - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cisa.gov/MFA\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"More than a Password\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Australian Signals Directorate (ASD) - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Essential Eight Maturity Model\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Executive Office of the US President - \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Moving the U.S. Government Toward Zero Trust Cybersecurity Principles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s time to take the phishing-resistant plunge, and Okta is here to help.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-02-10T00:11:42.720Z","slug":"/protectingadminsessions","node_locale":"en","date":"2024-03-21T08:13:16+00:00","secAuthor":[{"name":"Brett Winterford","slug":"brett-winterford","jobTitle":"VP, Okta Threat Intelligence","id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"<p>Brett Winterford is Vice President of Okta Threat Intelligence.  Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats.  Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. </br> Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.  Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#887808","width":58,"height":47}}}],"title":"Protecting Administrative Sessions in Okta","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Privileged users have always been and should always expect to be under constant attack from motivated adversaries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the last 90 days, Okta has devoted many of our most skilled resources into a program of work that dramatically hardens the Okta Admin Console, resulting in a number of new features, a subset of which are listed below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Feature\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Description\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Availability\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/apply-ip-or-asn-binding-to-admin-console?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ASN Session Binding\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta automatically revokes an administrative session if the ASN (Autonomous System Number) observed during an API or web request differs from the ASN recorded when the session was established.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"GA, on by default in Okta Admin Console from October 23, 2023\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/apply-ip-or-asn-binding-to-admin-console?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP Session Binding\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customer administrators can automatically revoke an administrative session if the IP address observed during an API or web request differs from the IP address recorded when the session was established.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Admin Console from February 7, 2024\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Workflows Admin, Okta Access Requests and Okta Privileged Access (OPA) in March 1, 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/admin-session-lifetime-idle-timeout-security-enhancements?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"New Default Maximum and Idle Session Duration \",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Default session timeouts in Okta Admin apps have been set to a 12-hour session lifetime and a 15-minute idle time.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"GA from January 8, 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/admin-console-protected-actions.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Protected Actions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta admins are prompted for re-authentication when they perform critical tasks in the Admin Console.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Admin Console from February 7, 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/deliver-zero-standing-privileges-for-okta-admin-roles-governance-for-okta-admin-roles?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Govern Okta Admin Roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customers can govern Okta Admin Roles via time-bound access requests and automated access reviews\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gradual rollout in Okta Admin Console begins April 2024\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/okta-will-require-multi-factor-authentication-mfa-to-access-the-okta-admin-console?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require MFA for access to Admin Console\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta will prevent administrators from creating authentication policies that only require a single factor.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"EA in Okta Admin Console from May 2024.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The purpose of this blog post is to zoom out and think holistically about how to use these features to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reduce the attack surface of your Okta org,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevent account takeovers, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Limit the blast radius of a stolen session\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reducing the Attack Surface\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The first step to preventing unauthorized access to privileged applications is to reduce the number of accounts with privileged roles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s standard administrative roles offer the fastest path to value for new workforce deployments. Over time, the most security conscious organizations migrate to Custom Admin Roles in pursuit of least privilege access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This journey starts with:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assigning administrative permissions by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/users-groups-profiles/usgp-groups-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Group\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and avoiding assigning them individually. This greatly simplifies the administration and governance of policies.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identifying tactical ways to minimize the number of accounts with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/administrators-admin-comparison.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"highly privileged roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (Super Administrators, Org Administrators, App Administrators). \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/automation-hooks/delegated-flows/about-delegated-flows.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Delegated Flows\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", for example, offers opportunities to reduce the number of Workflows users that require administrative access.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Breaking down common administrative functions (such as assigning users to apps, or factor lifecycle operations) into \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Custom Admin Roles\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", and assigning them to specific resources (groups, apps, workflows etc), to further promote least privilege.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The target state is to move as close as possible to “zero standing privileges”.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Zero standing privileges is a model in which an administrator gets access to the resources and permissions they require on a just-in-time basis to complete a specified task, after which time the access is automatically revoked.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/products/privileged-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Privileged Access Management (OPA)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" uses this principle to secure access to servers, databases, apps and other targets. When OPA is combined with the Access Requests feature in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/products/identity-governance/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (OIG), organizations can be confident that all access to privileged resources is authorized, ephemeral (temporary), and recorded for easy auditing.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, we want zero standing privileges to be a design pattern in reach for even the smallest of Okta’s customers. Okta is committed to ensuring that every workforce customer can achieve zero standing permissions for access to the functions they require to administer Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s product team has subsequently lifted a subset of premium Okta Privileged Access and Identity Governance features and built them directly into the Okta Admin Console to make this essential protection available to all Okta Workforce customers at no cost.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Using this configuration, the journey to zero standing privileges in Okta is simpler again:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assign all administrators with custom roles designed for the minimum resources and permissions required to complete day-to-day work;\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create a Request Approval process for administrators that require temporary (“just-in-time”) elevated permissions for administrative tasks that are performed less often,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require dual authorization (approvals) from two or more fellow administrators for access to roles with elevated permissions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Create an action in the Access Request that adds a user to a group assigned the elevated permissions after authorization and removes them from the group after the specified time period expires.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The only exceptions you might need to make to this process are:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"ordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A break-glass account with a super administrator role.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Depending on your deployment, you may require an account for emergency access. This “break glass account” needs to be protected by policies that assume your trusted network or PAM solution is not available. We suggest limiting access by network location (using secondary or tertiary IP ranges for redundancy), and also requiring multi factor authentication. A common approach is to require one of several physical FIDO2 security keys enrolled for the account, plus a machine-generated string as a password. Access to this account should be monitored with absolute vigilance: any use should set off alarm bells in the SOC.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Service accounts used in machine-to-machine authentication\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Don’t neglect accounts used for non-human (machine-to-machine) access. Use OAuth 2.0-based \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/blog/2023/04/24/api-integrations\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Applications\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", wherever available, with the least required account permissions and scopes applied. If you are using legacy static API tokens for any integrations, make use of Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/api.htm#editallowednetworkzones\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"IP allowlisting feature\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\": this ensures that Okta APIs will only accept requests using these tokens from trusted locations. Vault all static API tokens, maintain an inventory of their purpose, and audit and rotate regularly. Once configured, service accounts should be members of an Okta Group, and a global session policy should be applied to that group that denies interactive access (NB: this won’t restrict API access). Maintenance tasks should require a formal access request process that temporarily subjects the account to a different policy. Service accounts should otherwise be closely monitored for detection of unauthorized interactive and/or shared access.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Preventing Account Takeovers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As discussed, Okta has built best-in-class features to prevent unauthorized access to the Okta Admin Console. Many of these features are enabled by default.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The resilience of your environment largely depends on sound configuration of policies and supporting controls. At minimum, Okta Security recommends protecting administrative users by configuring the following:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/threat-insight/ti-index.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"ThreatInsight\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in log and enforce mode. This will detect and prevent high-volume credential based attacks on any account that still requires a password.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apply strong authentication policies to groups with administrative permissions.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require administrative users to sign-in using passwordless, phishing resistant authenticators (Okta FastPass, FIDO2 WebAuthn, Smart Cards).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enforce \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/authenticators/phishing-resistant-auth.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"phishing resistance\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in policy.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require users to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/policies/add-app-sign-on-policy-rule.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"verify their identity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" via a biometric challenge (preferred) or PIN.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny the use of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2022/09/okta-passkey-management-a-new-feature-flag/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"discoverable FIDO2 credentials\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (Passkeys) for access to the administrative console and require use of device-bound FIDO2 credentials instead. Passkeys may otherwise be susceptible to theft from unmanaged devices or cloud service accounts.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require access via \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/devices/devices-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"trusted, managed devices\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for administrative access.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Require access via managed browsers (i.e. do not allow administrators to sign-in to personal accounts from the browser).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Use \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/devices/edr-integration-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"endpoint security integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to deny access to devices exhibiting poor posture.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny all requests to administrative apps from anonymizing proxies and other untrusted networks using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/network/create-dynamic-zone.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Network Zones\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Evaluate \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/oie-risk-behavior-eval.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"user behavior and risk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in policy, and alert on anomalous authentication requests (such as new device + new IP).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Apply an explicit, catch-all deny rule for any access to the Okta Admin Console that doesn’t meet the above conditions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reducing the Blast Radius of a Stolen Session\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Irrespective of the strength of your protective controls, your threat model must also account for the theft and replay of an administrator’s session token using malware or other means.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s revised default session duration for the Admin Console is designed to limit the opportunities for adversaries to exploit a stolen session token.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"ASN Session Binding, which is enabled for all Okta orgs by default, limits the ability to replay a stolen session outside of an expected context. Security teams can optionally insist on enforcing IP Session Binding for the Okta Admin Console, which binds all requests during an administrative session to the same IP used during authentication. IP Session Binding is on by default for all new Okta orgs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We also recommend the following:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enable Protected Actions in the Okta Admin Console. This forces step-up authentication before an administrative user can modify critical settings, such as enabling a third-party Identity Provider or resetting all factors of an administrative user, greatly reducing what actions an adversary can perform with a stolen session token.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configure a Re-authentication Frequency of “Every Sign-In Attempt” to all administrative applications. This greatly diminishes access to applications using a stolen user session.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Choose FastPass as your primary authenticator. FastPass provides a fast, consistent user experience on all OS/browser platforms, prevents and detects real-time AiTM phishing campaigns, and offers an ability to constrain credentials to approved devices. It can also play a role in mitigating the theft of session tokens: FastPass can be configured to evaluate device signals on managed and unmanaged devices prior to allowing access. Okta can subsequently use these device signals to assess device context every time a user requests a new application during a session, and require re-authentication if device context is assessed to have changed.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Finally, it’s important to audit the use of administrative roles and to monitor for suspicious administrative activity. As we’ve said in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/leastprivilege\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"previous posts\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the monitoring and oversight of actions performed by users with administrative roles is a cornerstone of any well-designed security program.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend the use of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/reports/log-streaming/about-log-streams.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Log Streaming\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" for the fastest access to Okta System Log events in the SIEM of your choice. You can find a sample of common detections we have published in collaboration with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/shareddetections\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Splunk\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/2023/08/telling-more-okta-detection-stories-google-chronicle\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Google Chronicle\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A new event relevant to organizations that have deployed ASN and IP Session binding is provided below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Event\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"System Log Query\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Denied Access due to ASN/IP Session Binding (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1539/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"T1539\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"eventType eq \\\"security.session.detect_client_roaming\\\"\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s engineering teams have worked tirelessly over the last 90 days to provide the guardrails and additional features required to protect access to administrative functions in Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over 9000 Okta orgs adopted ASN Session Binding within three months of its release, giving us the confidence to turn the feature on for all Workforce customers by default. Over 95% of Workforce orgs have maintained the default maximum and idle session duration configuration we switched on for all customers in January.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We remain committed to prioritizing the features that protect privileged users under the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2024-06-07T20:54:14.642Z","slug":"/appsofthefuture","node_locale":"en","date":"2024-03-05T06:42:25+00:00","secAuthor":[{"name":"Karl McGuinness","slug":"karl-mcguinness","jobTitle":"Chief Product Architect, Okta","id":"49d070bc-d763-5c0e-9734-5ec90fcfcd0d","bio":{"bio":"<p>Karl McGuinness is Chief Product Architect at Okta where he is responsible for product strategy, architecture, and identity standards. He has over 20 years of experience in the identity industry building and scaling market leading products and infrastructure. Karl is actively involved with the identity community developing and adopting technical standards that provide the foundation for the Okta Identity Cloud.</p>"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6fixoIccP6y6XyYM36hVRj/e922b686e242a3f68bb809567d4863c9/karl-mcguiness-speaker.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"How to Secure the SaaS Apps of the Future","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":null,"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Over the past few years we’ve observed a fundamental shift in the threat model for highly targeted organizations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, if an attacker can’t manage to steal user credentials for highly targeted organizations, they will pivot to instead stealing a user’s proof of authentication.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Attackers will use malware to steal session tokens from a user’s browser after they sign in. They may similarly use transparent proxies to steal session tokens from a user’s browser after they sign in. And as Okta’s recent experience shows, if bearer tokens of any kind are stored unprotected, attackers will sniff them out. Stolen session tokens can often be replayed in a browser of the attacker’s choosing for the remaining duration of the user session.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For several years Okta has contributed to internet standards that aim to mitigate the theft and replay of session tokens. We are taking these actions because we cannot assume that the current solutions to these problems (endpoint protection and phishing resistant authentication) will always be applied effectively. It is prudent to assume that some malware will go undetected by endpoint protection solutions, or that some users will sign in to applications without the protection of phishing-resistant authenticators. When either of these events happen, defenders require an ability to limit the blast radius from a stolen session token.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our goals here are threefold:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We need to constrain the use of tokens that are for specific devices, clients and/or locations,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We need the identity ecosystem (identity providers and SaaS applications) to autonomously exchange signals about changes in session risk, and\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We need the means to act on identified changes in session risk: such as forcing step-up authentication within the context of an application, or signing a user out of all of their application sessions.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has demonstrated, in response to an October security incident, that modern applications supporting OIDC (OpenID Connect) can meet many of these goals. Okta now binds Admin Sessions to location (ASN, by default and optionally by IP), forcing re-authentication when an administrative user changes location mid-session or attempts to perform critical, security-sensitive tasks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The next challenge for Okta is to apply the same hardening techniques used for the Okta Admin Console to the innumerable third-party SaaS applications that our customers gate behind Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We have laid the groundwork for several innovative new features that every enterprise SaaS application needs to embrace to protect users in the era of post-authentication attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enterprise-ready requirements for today’s SaaS apps\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today there are a handful of non-negotiable requirements SaaS applications must meet before a Chief Security Officer (CSO) would consider them to be enterprise-ready.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Single Sign-On (via support for OIDC or SAML)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Provisioning and deprovisioning (via support for SCIM)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Programmatic access to logs (using REST APIs)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"However, most CSOs haven’t updated the requirements they demand from SaaS applications for at least 5-10 years. And during that time, we have observed fundamental changes in both the nature of the applications we are protecting, and in the threat posed to SaaS applications from post-authentication attacks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enterprise-ready requirements for the Apps of the Future\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today’s SaaS application is typically \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2020/06/the-path-to-continuous-authentication-solving-the-best-of-breed-problem/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"more than a simple web app\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". For example, consider Slack. Slack is a distributed set of apps and services, encompassing both web and native application experiences, and integrated with other applications (e.g. Google Workspace, Atlassian Confluence and Jira) using OAuth. Securing these distributed applications requires a new, longer list of requirements. SaaS applications will (at the very least) need to support the three features detailed below to pass muster with CSOs.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. Proof-of-possession\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Proof-of-Possession is a method of constraining the use of OAuth access tokens to an authorized client (browser-based app).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It prevents attackers from replaying a stolen token from any other client.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has addressed this requirement via our support for \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/dpop/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", an OAuth 2.0 extension that developers of SaaS applications can use to cryptographically bind a token to an authorized client. If an access token issued to one client is intercepted by an attacker, and replayed on any other client, the SaaS application can deny access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"There are a few logical reasons why this problem should be solved at the application level using DPoP. Previous efforts to solve this problem at the transport level (using mTLS-based token binding) have encountered \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://textslashplain.com/2023/10/23/protecting-auth-tokens/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"scale, deployability and usability challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Trusted Platform Modules (TPMs) have historically not been fast enough to sign a proof for every HTTP request, and end-to-end proofs are also problematic in enterprise environments where proxies and other intermediaries terminate TLS.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"DPoP, by contrast, will reduce the risk of a stolen token across the broadest possible number of modern native apps. Okta has enabled DPoP by default in all \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/oin-api-service-overview/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Service Integrations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that access Okta’s management APIs. Once configured, Okta API endpoints will require the bearer of a token to prove this cryptographic relationship to an authorized client.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Chief Security Officers should be demanding that SaaS applications do the same. Consider the following requirement in your vendor security questionnaire:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must require cryptographic proof that a client presenting an access token was authorized (demonstrating Proof-of-Possession).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. Continuous Access Evaluation Profile (CAEP)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta recently reduced the default maximum duration and idle duration for administrative sessions in Okta in an effort to shift the industry towards “secure by default” principles.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Counterintuitively, the default session for most SaaS applications is getting longer.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From a security perspective, organizations can only afford to extend the life of application sessions if security teams are confident that they can detect changes in user risk mid-session, and in near real time, orchestrating immediate responses to those signals in ways that don’t create excessive friction for legitimate users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2024/02/unifying-efforts-amplifying-security-shared-signals-interoperability/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Continuous Access Evaluation Profile (CAEP)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" offers a path forward. CAEP provides a standardized way of ensuring that a change in session risk identified by one SaaS application can autonomously create responses in every other SaaS application accessed by the user via their Identity Provider.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Today, there are numerous risk signals Identity Providers like Okta can observe in relation to changes in user and session risk. But these signals aren’t always observable by the downstream SaaS applications accessed during an Okta session. SaaS applications can also observe changes in user and session risk, and again, many of which aren’t always observable to the Identity Provider.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Continuous Access Evaluation profile (CAEP), which uses the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/wg/sharedsignals/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Shared Signals Framework\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" standardized by the OpenID Foundation, is a publish/subscribe mechanism for describing changes in user, device, or session risk. Okta has built the necessary components to be a transmitter, receiver and aggregator of risk signals between applications, and is building an ecosystem of SaaS applications and security providers to exchange signals with.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Risk signals are already published and acted on by customers using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2023/10/identity-threat-protection-with-okta-ai-is-transforming-security/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Threat Protection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in limited early access. Now is the time for CSOs to demand SaaS applications support the same risk sharing standards. Consider the following requirement in your vendor security questionnaire:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must be able to transmit and subscribe to risk signals using open, industry standard frameworks.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With all the signals being exchanged using CAEP, security teams also need the ability to automate responses to heightened session risk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One possible response would be for the SaaS application to trigger re-authentication when responding to a change in session risk.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If the observed risk meets an appropriately high threshold, the user’s IdP (Identity Provider) session and each of the user’s individual sessions with SaaS applications need to be revoked.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Up until now, there hasn’t been a simple way to do this. Single Logout (SLO) offered a partial solution. A user can log out of a SaaS application that supports SLO and be automatically signed out of their Identity Provider (IdP) session. The missing piece was a method of revoking ALL the connected SaaS applications a user authorized during a IdP session, including native apps and SaaS integrations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enter \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/oin-universal-logout-overview/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Logout\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a standardized method Okta has proposed to handle the “Single Sign-Out” problem. Universal Logout saves SecOps personnel the hassle of manually identifying and signing out users from each SaaS application accessed during a risky session.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CSOs need to demand that SaaS applications publish a Universal Logout endpoint to facilitate this process. Consider the following requirement in your vendor security questionnaire:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must publish a standard interface for revoking access to an application, including OAuth tokens.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do these requirements move the needle?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When more applications meet these requirements:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Users can only authenticate to an enterprise resource with a phishing-resistant authenticator from the right device(s),\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications will only accept requests from the right users with the right permissions,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sessions/tokens for web or native apps can only be used from the same device authorized to access them,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Long-lived sessions are continuously re-evaluated for risk using signals from the enterprise and the application,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"All access from all devices can be terminated in real-time to limit the blast radius of a stolen session.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As the world’s largest independent and app-neutral Identity Provider, Okta is positioned to help organizations and application service providers meet these requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has the unique position of being able to influence the ability of the next generation of SaaS applications to enable these features with the check of a box (in the Customer Identity Cloud), and to provide a market for the next generation of B2B SaaS applications to reach workforce users via the Okta Integration Network. Okta has also enabled application integration wizards to help SaaS applications to retrofit these features.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security teams need to demand more from the SaaS ecosystem to solve these fundamental security challenges.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS Apps of the Future - Requirement Statements\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A more expansive list of requirements for SaaS applications is provided below.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Requirement\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Standard\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Requirement Statement\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Support\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Single Sign-On\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OIDC \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/specs/openid-connect-core-1_0.html#\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OpenID Connect\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\")\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must support Single Sign-On using a protocol that can protect privileged operations in the application with phishing-resistant re-authentication provided by the Identity Provider.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Modern, best of breed applications using the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Customer Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(Auth0) and the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Workforce Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"support OIDC.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Both platforms support transactional MFA.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Passkeys\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"FIDO2 WebAuthn\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Break Glass Accounts (non-Federated accounts) in enterprise SaaS applications must be protected by phishing-resistant factors to thwart common credential-based attacks. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Passkeys\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" are supported as the primary authenticator in both the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Customer Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"(Auth0) and the Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Workforce Identity Cloud \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"User Provisioning and Deprovisioning\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SCIM\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" (System for Cross- domain Identity Management)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must support industry standard approaches to the automated provisioning and deprovisioning of users.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Lifecycle Management\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" uses SCIM to automate user lifecycle management.  Applications built on the Okta Customer Identity Cloud (Auth0) can be managed by any SCIM compatible client such as the Okta Workforce Identity Cloud\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Role and Entitlement management\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/draft-ietf-scim-roles-entitlements-00\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SCIM\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" Roles and Entitlements Extension\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must support centralized identity governance mechanisms that ensure users are only provided the minimum  permissions required for their role at any given time.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Identity Governance\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" can manage user entitlements within the world’s top SaaS applications. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Application Logs \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"REST APIs\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must offer programmatic access to logs that can be streamed in real time.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Logs should capture all security-relevant events. Events should be well documented and presented in a structured, industry-standard format. All distinct fields should be able to be programmatically parsed.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Log Streaming \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"offers access to Okta log events in close to real-time for both the Okta Customer Identity Cloud (Auth0) and Workforce Identity Cloud \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Dynamic Access Management \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://openid.net/wg/sharedsignals/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Continuous Access Evaluation Profile (CAEP)\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must be able to transmit and subscribe to risk signals using open, industry standard frameworks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"At minimum, applications need to publish and subscribe to the following events:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session Revoked\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Credential Change\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Identity Threat Protection\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" can publish and subscribe to CAEP-compliant events. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Universal Logout\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/draft-parecki-oauth-global-token-revocation-01\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Global Token Revocation\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must publish a standard interface for revoking access to an application, including OAuth tokens.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our roadmap supports Universal Logout across all Okta applications.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"API Access Standards\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth 2.1\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications should implement OAuth 2.1 based access to their APIs \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth is the industry standard for secure API access and supports both user delegated and non-human service based access mechanisms.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sender Constrained Tokens\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/dpop/main/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Demonstrating Proof-of-Possession (DPoP)\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications must require cryptographic proof that a client presenting an access token was the client authorized to do so (demonstrating Proof-of-Possession).\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Workforce Identity Cloud supports \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"DPoP\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" and requires it by default for new API Service Integrations.\\n\\nOkta’s roadmap includes plans to embed DPoP for new B2B SaaS apps in the Okta Customer Identity Cloud (Auth0).\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Security Best Practices\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://oauth.net/2/oauth-best-practice/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth2.0 Security BCP\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://oauth.net/2/browser-based-apps/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Browser-based Apps BCP\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://oauth.net/2/native-apps/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Native and Mobile Apps BCP\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.rfc-editor.org/rfc/rfc7523.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"JWT Client Authentication and Authorization Grants\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"SaaS applications should support agreed Best Current Practices agreed by IETF.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta personnel are contributors to many of these Best Current Practice materials.\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is helping to incubate several other identity standards that were deliberately omitted from this list, given that they are not yet actionable by security teams. The emerging work in W3C around \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/WICG/dbsc/blob/main/README.md\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Device Bound Session Credentials\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is most interesting, as it brings proof-of-possession properties to browser-based session cookies; which is the final piece in the puzzle for protecting modern apps.\",\"marks\":[],\"data\":{}}]}]}"}}]}},"pageContext":{"limit":10,"skip":40,"numBlogPages":9,"currentPage":5}},
    "staticQueryHashes": []}