Okta promises to unlock a ‘password-less’ future with FastPass

Remembering passwords - a total pain, right? No wonder so many people pick a simple, easy-to-recall password  - AKA a weak one - and then stick with it through thick and thin, using it repeatedly across multiple systems and stubbornly refusing to change it unless absolutely forced. 

Obviously, these bad habits fly in the face of all expert advice - so it’s gratifying to hear that even Diya Jolly, Chief Product Officer at identity management specialist Okta, has had her own struggles with passwords. 

If I look at my own behavior with passwords, I probably get locked out about once a month and have to bug IT about it.”

But since Okta implemented its own FastPass, a new product it announced earlier this month, she’s not had to pester the helpdesk once, she says. 

So could password annoyances really be a thing of the past? That would certainly be good news for businesses, because poor password hygiene makes work systems inherently insecure, says Jolly, and dealing with password reset requests comes at a cost, too. 

Taking SSO one step further

Single Sign-On (SSO) technology, as offered by Okta and numerous other vendors, goes some way to addressing the problems, but as Jolly’s own experiences suggest, it still depends on the user remembering the one ‘golden’ password that unlocks all those other work accounts. 

FastPass aims to take the increased ease-of-use associated with SSO one step further, by combining it with biometrics. Instead of relying on a password, users instead rely on the biometric features of their hardware device in order to sign on. In the case of Apple devices, for example, that’s TouchID and FaceID. For Android, it’s fingerprint login, and for Microsoft devices, Windows Hello. 

(In Jolly’s case, for example, the TouchID on her Macbook signs her into Okta, and from there, to all the corporate systems she’s authorized to access, all in one go.)

Naturally, there’s quite a lot going on behind the scenes in order to achieve this - and it’s not entirely password-free, or at least, not initially. How FastPass works is that users download Okta’s Verify app onto their device and log into the app using - you guessed it - a password. (In the case of devices under management by corporate IT, the Verify app can be pushed to devices automatically.) From then on, however, device biometrics alone can be used to sign on. But there’s more to all this than plain old user experience, says Jolly:

The reason we’re so excited about this is that it also increases security as well as usability - and it’s not often you get the chance to deliver something that does both.

The reason it’s more secure, she says, is that this approach provides IT admins with rich information about the identity and context of the device in question: whether it’s using a recognized IP address, the operating system version, other installed applications, whether its managed by corporate IT or not. 

On top of that, it also enables them to create per-app policies about whether or not to allow access, require additional authentication or deny access. These rules can be pretty fine-grained: for example, a user might be permitted to use FastPass to log into Salesforce, but they may not be able to delete customer accounts without additional authentication, say, or swapping from their personally owned device to one managed by their employer’s mobile device management (MDM) software.

FastPass is currently in beta and will be available on an early-access basis to customers by the end of 2020, according to Jolly. For it to work, Okta customers will also need to install Okta Devices. This is a new component of Okta Platform Services, one of three - along with Okta Identity Engine and Okta Workflows - that was announced at the company’s online Oktane 2020 conference in early April. In response to the coronavirus outbreak, this virtual event replaced the company’s usual, face-to-face customer gathering in San Francisco. 

My take

FastPass presents an interesting and potentially valuable response to the password problem - albeit one that’s only open to newer generation, biometric-enabled hardware, which could be a sticking point for many organizations, for now at least. 

More importantly, it’s an interesting proof point of how the company’s platform strategy is evolving. Okta, after all, is perhaps best known for federating enterprise user access to Software-as-a-Service (SaaS) applications such as Salesforce, Box and ServiceNow - but in recent years, it has been developing a platform that can be used for different use cases, including authenticating customers and gig-economy workers.

That has involved a substantial amount of engineering work, componentizing functions and providing APIs and SDKs, so customers can build out the identity workflows they need, accessed via the Okta Identity Cloud. 

In turn, this strategy is also enabling the company to offer new products built on combinations of its platform services to offer new capabilities, like FastPass. In this case, FastPass relies primarily on three Okta Platform Services: Insights (to determine risk); Identity Engine (to build out custom access experiences; and Devices (for device identity and context).

When my colleague Phil Wainewright attended the Oktane conference in 2019, he wrote about:

“..a significant maturity in the company’s offering. Of particular note is the introduction of new support for flexibility and extensibility, making sure that Okta can play its part as a trusted identity infrastructure in an API-first world.

This year’s announcements demonstrate that Okta has continued to build on these foundations at an impressive pace. And as companies continue to grapple with the immediate and very tricky challenge of giving remote workers safe access to enterprise systems during a global pandemic, flexibility and extensibility are messages that are likely to play well, both in the short term and in future.