Oktane 2023 - now Okta will log you out at the first sign your account has been hacked

Identity and access management vendor Okta has teamed up with Google to bring generative AI to its platform. The announcement of Okta AI came at last week's Oktane conference and underpins a slew of new products unveiled at the annual get-together, offering improved threat protection including universal logout, easier configuration of fine-grained authorization, a better user experience, and additional support for developers. Okta also announced a new passkey capability to allow password-less consumer logins, with more to come after its acquisition of password management startup Uno.

The showpiece announcement is Identity Threat Protection, which supplements today's mainstream standard of Multi-Factor Authentication (MFA) with a number of capabilities that address the growing number of threats that occur after a user has logged in, including phishing attacks that bypass MFA by tricking the user into disclosing tokens and passcodes, or more sophisticated hacking techniques such as session hijacking and Adversary-in-the-Middle (AiTM). Todd McKinnon, CEO at Okta, explains:

Identity Threat Protection ... will enable businesses to prevent and respond to threats faster than ever before ... It extends adaptive risk evaluation from the point of authentication to any time a user is logged in and helps you quickly prevent and respond to threats.

The new product includes what Okta is billing as "the industry’s first real universal logout solution." If at any time during a user session the system detects anomalous behavior that suggests the account may have been hijacked by a bad actor, it automatically logs the user out of all open sessions. Access can only be restored with admin approval. Initially supported by apps including Box, Google Workspace, Salesforce, Slack, Tableau, Zendesk and Zoom, the intention is to extend this feature to the entire ecosystem of Okta partners. McKinnon sees this as a unique differentiator for Okta. He says:

The number of apps that support this universal logout goes from 25 to 50 to 1,000, pretty soon it's going to be just a standard. And you won't want to have an app at a company that doesn't support universal logout. It'd be crazy, why wouldn't you? That's how the flywheel is going to happen in this.

Integrating across the security stack

Okta's threat protection also pulls information from other security products in an organization's technology stack to inform its dynamic, data-driven risk assessment. While it replaces the need to buy a separate Identity Threat Detection and Response (ITDR) product, it integrates with other Extended Detection and Response (XDR) platforms, including Mobile Device Management (MDM), Cloud Access Security Broker (CASB), and Endpoint Detection & Response (EDR) solutions. With integrations to partners including Jamf, Netskope, Palo Alto Networks and Zscaler, it is implementing a standards-based event pipeline to extract insights from these various security technologies. When it detects an unusual event, such as a change in IP address or device context, it can invoke actions based on pre-configured policies and features, such as immediately ending the active user session across supported applications. As Okta points out, this not only helps organizations identify and neutralize identity threats, it also "positions Identity Threat Protection as the connective tissue across the tech stack."

As McKinnon points out, this is in contrast to larger platform vendors whose strategy is focused on bringing security wholly within their own platform. He cites Microsoft as an example:

We are building Okta for everything, and Microsoft is building Okta for Microsoft. Essentially, that's what they're doing. They have some prototypes of a universal logout, but it only works on their apps.

So they haven't been able to reach outside of their ecosystem. Part of this is this protocol concept, where it's hard for them to collaborate and communicate with all these vendors, because they're coming after CrowdStrike, they're coming after Zscaler. So it's like, 'What is your worldview? Is security going to be done by one monolithic platform or is it going to be done by an open ecosystem?'

I think history is on our side here, because the history of the security industry is more on the ecosystem side. There's a reason why no one's ever rolled up the whole security industry. It's because it's an adversarial environment. And once you start doing that, there's new people that come out for new threats, and they have to block their new threats, and you have to hook into one central identity plane to be successful.

Okta's strategy is to offer identity as a linchpin around which organizations can focus their security efforts, as part of a best-of-breed landscape. As its press release stated last week:

Organizations are adopting an increasing number of cybersecurity tools to keep pace with evolving threats, forcing admins and security teams to sift through an overwhelming amount of granular security data to establish effective policies and detect and respond to critical threats. This fragmentation leads to navigating multiple consoles, and makes it difficult to track the risk of any given user session over time. Because identity is uniformly deployed across an organization’s tech stack, Okta is uniquely positioned to assess risk across security domains and throughout active user sessions.

Built on Vertex AI

Threat protection and universal logout are to be offered as part of Okta's Workforce Identity solution for secure identity within an organization. Other capabilities announced last week include:

• Log Investigator with Okta AI — enables admins to ask questions about Okta data in plain English, and obtain insights on the historical context of their Identity posture. Makes it easier to investigate potential threats, troubleshoot end user issues, helping to get speedy answers from syslog.
• Policy Recommender with Okta AI — provides personalized recommendations and templates, streamlining the setup of secure authentication practices, including device posture checks and phishing-resistant authenticators. Recommendations are based upon aggregated intelligence from across Okta’s extensive ecosystem as well as best security practices.
• Governance Analyzer with Okta AI — provides context and recommendations to support governance decisions. Empowers decision makers with the necessary context to make an informed decision, leveraging signal from across Okta’s unified identity platform.

These capabilities appear to benefit from the partnership with Google's Vertex AI, which allows Okta to use its extensive data to train a domain-specific model on the generative AI platform. McKinnon believes the extra support these capabilities offer for more fine-grained authorization will improve security governance. He adds:

When I do governance, does the application that is being delivered to my users, fit the same fine-grained authorization level that my IGA [Identity Governance and Administration] product for workforce expects? That's powerful. It's never been possible. This is the kind of thing we're focused on from a strategic perspective.

Another set of announcements relates to Okta's Customer Identity offering, built on its acquisition of Auth0. Here, Okta AI will provide inline recommendations and actions for developers and digital teams to improve the sign-up flow, help to distinguish human users from automated bots, and speed development of apps. These functions will be available in beta next year:

• Identity Flow Optimizer with Okta AI — provides developers with inline recommendations on the identity configurations and actions they can add to boost conversions, improve security, and build their apps faster
• Actions Navigator with Okta AI — allows developers to discover and implement marketplace integrations or write an Action (function that is used to customize and extend CIC capabilities) by simply asking for it in a search prompt
• Tenant Security Manager with Okta AI — enriches Okta’s Attack Protection capabilities with intelligent security recommendations through security snapshot alerts and dashboard notifications to detect and react to malicious attacks, improving the customer tenant’s security posture.
• Guide with Okta AI — comprehensive onboarding assistance which maps out effective workflows and provides prompts in natural language
• Brand Customizer with Okta AI — automatically builds templates for a consistent look and feel

Skills development

The new passkey addition to the Customer Identity Cloud can be added to consumer-facing apps to reduce login friction, while protecting organizations from credential-based threats, such as phishing or other unauthorized access attempts. Other new Customer Identity and Access Management (CIAM) capabilities include:

• Okta Workflows No-Code Automation for Customer Identity, which enables developers and digital teams to personalize Customer Identity flows without writing code. Okta says this improves security posture and drives stronger customer experience and retention.
• Phone number as sole identifier, which makes it easier to support more users in countries, typically in Asia-Pacific or Latin America, where phone number is an expected form of authentication. An available password-less option allows users to sign-up with just their phone number.
• Password recovery enhancements, which allows developers to enhance security and lessen support burdens by integrating multi-factor authentication (MFA) into their password reset flow, or give customers the ability to reset using any enrolled factor.
• Custom sign-up prompts, to enable developers to create personalized registration journeys directly within the new Universal Login. Sign-up prompts can be tailored to customer preferences, localization needs, privacy, consent, and beyond.

Pointing to a predicted growing shortage of cybersecurity workers and a broader tech talent gap, Okta also announced a series of grants to stimulate development of the best cybersecurity talent and provide equitable access to these careers in technology, with the launch of its Cybersecurity Workforce Development Initiative:

• $1.6 million in philanthropic grants out of the Okta for Good Fund, a donor-advised fund held at Tides Foundation, for organizations around the globe providing tech career opportunities for women, people of color, veterans and other jobseekers from underrepresented communities.
• 5,000 educational grants to unemployed professionals looking to make a career transition to cybersecurity by growing their Okta skills. The program focuses on veterans, military spouses, and tech workers impacted by recent lay-offs.

My take

An eye-catching set of announcements designed to cement Okta's role as the identity keystone of enterprise security. The plethora of security technologies organizations have to co-ordinate today is proving challenging, and the industry is ripe for a consolidation of those technologies around a few core ecosystems.

[Updated Oct 11th with minor amendments to the opening paragraph to more clearly summarize the key points, and a revision to the later mention of Vertex AI.]