Okta API strategy aims to bridge gap between customer experience and security

Derek du Preez Profile picture for user ddpreez August 29, 2017
The cloud identity management vendor kicked off its annual customer event in Las Vegas today with a number of announcements that expand the Okta platform.

Okta CEO, Tod McKinnon
Okta CEO, Tod McKinnon

Cloud identity management provider, Okta, kicked off its annual customer event in Las Vegas with a slew of platform enhancement announcements, which aim to embed identity at the centre of any organisation’s strategy to create both better end-user experiences and also enhance security.

The two main announcements centre around building better authentication into the platform as standard, as well as enhancing the company’s API strategy to bridge the gap between the applications being built by companies and the security management at the back end.

CEO Todd McKinnon took to the stage to explain why identity, whilst traditionally has either been built into each platform or built by companies themselves, now needs to stand alone as its own independent integration layer.

He said:

We’ve moved from a world where we have just a few vendors providing monolithic stacks of applications. You ran the software, you ran the hardware, surrounded by the network perimeter, connected to offices that your employees used to log in to from their company computer. Today the world is dramatically different. There are tens of thousands of applications, applications for every use case, there are millions of people. There are partners, customers, employees. It’s a very open, fluid and dynamic world.

But this potential comes with new challenges that weren’t around in the old world. One of those challenges is that integration becomes incredibly important. You might say that integration is everything in this environment. Ease of use, management and security, all depend on integration.

What it comes down to, is how we can take all this technology, focus it, and present it all as a single view to the end users, in a very elegant and simple way. With a single view on how we manage it.

McKinnon explained that the security perimeter that companies used to work with has been redefined. In a world where people are logging in from different locations from different devices, networks, VPNs and firewalls are no longer sufficient. He said that what is needed is a system of record that will help companies control who can go where and which access points they can access at which time.

If done successfully, he added, companies can “not only deliver a great user experience, but can actually make the environment more secure”. McKinnon said:

Identity is central to all of it. In a world where integration is critical, identity becomes the lynchpin of this ecosystem. It’s the one constant, as everything around it is changing. When people are the perimeter, identity becomes the security control point. The key point of securing this environment. Identity is critical to building engaging, personalised, delightful and secure customer experiences.

But it has to be done differently to how it was done in the past. Identity needs to be elevated. In the past identity has been part of other platforms, but now, identity has to rise from part of other platforms to being an independent and neutral platform on its own. This is the only way we can assure you are connected to the best technologies and innovations you need to capitalise on these trends.

Better security

On the security side of the discussion, Okta announced basic two-factor authentication as standard for every user, and launched new automated and “adaptive” security features to protect customers from the impacts of credential theft and account takeover attacks.

Effective immediately, Okta Single Sign-on includes a simple one-time passcode authentication for all users, making two factor authentication standard for everyone that uses Okta.

Additionally, Okta is rolling out a new compromised password detection feature, which ought to prevent all Okta users from using commonly used passwords and passwords that were exposed as part of publicly known data breaches.

Enhancements to the Okta Identity Cloud now also mean it can closely monitor access behaviours to determine when there is a potential threat actor using compromised credentials to gain access to sensitive company information. For example, the platform can detect anomalies based on the user’s location and client, such as OS and browser user agent - helping make more intelligent access decisions based on the context of the authentication event.

Okta also monitors potential security threats to the Okta cloud platform, with a security operations team constantly assessing the network. However, it is now sharing this intelligence across the network, allowing organisations to manually blacklist IP addresses when being attacked and create a policy-based blacklisting for geographies.

Coupling security and CX

However, more interestingly, Okta also announced that it would be extending its API strategy (which was announced in August of last year) to help companies build better customer experiences that have security embedded into their core, with identity being the central integration layer.

McKinnon took to the stage in Las Vegas this week to explain the thinking behind this. He said:

We’re about connecting everything. And a lot of our focus in the coming years will be around using these two sides of our business - the customer experience side and the management/security side - and connecting them together. Using the network effect, using the feedback between those two, to further our ambition to connect everything.

You can imagine us working on areas that make our API products better and make them more compelling to developers, because we do more to expose data about the types of applications that are being adopted - what makes an application successful? Because we can learn about that on the management/security side.

And the other way around, you can imagine us taking the information and the user accounts and the organisations on the transforming the customer experience side, and using those to make it far easier to connect to users, partners and organisations. No one else can do this because they don’t have the integrated platform.

McKinnon spoke about how that if Okta is going to be successful in this, it needs to “win the hearts of developers”.

The basic idea is that as companies are increasingly placing ‘experience’ at the core of everything that they do, and they are increasingly doing this by building their own applications, it makes sense for identity management and security to be provided as a platform to support this - avoiding companies having to build that out for every new ‘experience’.

Much of this has been possible by Okta’s ‘acquihire’ of Stormpath in March 2017, an identity an user management API. Today, Okta announced the following advancements to its API strategy:

  • Authentication - Developers can now add Okta’s identity driven security functionality to their own applications. Developers could already use Okta to authenticate users in their custom apps through the use of passwords, OTP push and biometrics. However, new capabilities such as email as a second factor authentication and compromised password detection have been added as additional features for developers to use.
  • Rapid customisation and branding - Okta is helping developers to ensure that every touchpoint is ‘on brand’ with support for hosted and customisable registration and login pages. Additionally, custom URLs and email domains have been introduced, so that developers can ensure users know and trust links, sites and the source of system email notifications.
  • Out of the box workflows - For example, developers can now make use of Okta’s self registration-as-a-service workflow, to quickly set up a secure registration for their application’s users.

My take

An interesting morning so far with Okta. It’s becoming increasingly clear that the API strategy is the company’s way of placing identity management at the centre of any customer’s strategy. Closely coupling security with customer experience is smart - both are top priorities for any enterprise at present. However, selling an API strategy is very different to selling an identity management platform - Okta will need to consider how it’s going to execute on that shift.

A grey colored placeholder image