How to Improve Okta Security
Michael Rothschild, HYPR
5 Min. Read | October 7, 2022
More than 140 organizations were recently breached through their Okta SSO credentials. Okta, one of the most widely-used single sign-on (SSO) providers, makes authentication into systems more convenient but also, as these attacks demonstrate, equally susceptible to attacks. Hackers were able to bypass Okta security processes to log into scores of corporate SSO instances.
Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio or via authenticator apps. Even with these “more secure” MFA options enabled, determined attackers can break in fairly easily, gaining wholesale access to connected accounts and applications.
There are measures you can take to mitigate Okta security weaknesses but first it helps to understand what some of these weak points are.
How Attackers Breach Okta Security Defenses
The authentication methods Okta uses are inherently insecure as they rely on passwords and, for Okta-provided MFA, one-time passwords. In other words, the entire Okta security approach is predicated on shared secrets, which can be phished or intercepted through a number of different techniques.
In the case of the recent Okta customer breaches, security researchers from Group-IB analyzed the threat campaign, dubbing it 0ktapus. 0ktapus targeted employees of companies that use Okta SSO, sending them text messages containing links to phishing sites that spoofed the Okta login page of their organization. Many of the phone numbers were obtained from a previous successful hack of cloud communications provider Twilio, which itself was hacked using the same methods.
Upon entering their login details and 2FA code, the attacker performs a simultaneous login process on the actual Okta page, gaining a session token and access. From there, attackers have wide-ranging potential for further escalation.
Illustration of the 0ktapus attack flow
Tips to Improve Okta Security
These SSO and Okta security flaws show why more robust authentication protocols , that can resist phishing and interception attacks, are necessary across all IAM procedures. Here we'll look at some actions you can take to strengthen Okta security in your organization.
1. At a Bare Minimum, Enable MFA on All User Accounts
Multi-factor authentication is enabled by default for admins under Okta security protocols and it should be the minimum authentication standard set for all users. As we’ve seen, however, traditional MFA can be easily breached, especially when phishable factors are used, such as passwords and one-time passwords (OTPs). SMS is particularly vulnerable — if traditional MFA is used, disable SMS as an option. Ideally you should deploy phishing-resistant MFA (see tip #8).
2. Use Role-Based Access Controls (RBAC)
Regular reviews of what accounts have access to and strictly limiting admin-level powers to relevant users can reduce the impact of possible breaches. In addition, RBAC sees account access checked and changed according to a user's current needs rather than maintaining past or previous access requirements.
3. Set Session Lifetime Rules
Enforcing stricter session lifetime rules on inactive sessions reduces the possibility of legitimate sessions being hijacked by attackers. This is especially important given that many employees now work outside the protected office environment.
4. Review Admin Actions
Regular reviews of admin activity can reveal suspicious activity patterns and attackers in the system to trace possible ongoing or previous Okta security breaches.
5. Limit Super Admins
Within Okta, certain users can be assigned Super Admin, the highest level of admin privileges. Keeping the number of Super Admins to an absolute minimum decreases the possibility of an attacker gaining access to these highly privileged accounts and causing even greater damage.
6. Enable User Event Notifications
Important activity on a user’s account, such as sign-ins from a new device or changes to factors used on an account, can be flagged through Okta security notifications. This way, notifications can be quickly escalated by the user or admin. Users can, however, develop fatigue from the number of notifications they receive from various accounts, so they may not give them the attention they deserve.
7. Decouple Identity from Authentication
One of the most effective methods of relieving pressure on Okta security is by completely removing the authentication burden from the SSO in the first place. SSOs are effective services for easing workflows and managing access to a user's suite of applications; however, this places a significant target on its back for attackers seeking access to those user privileges. Separating the authentication providers from SSO providers and using a more secure passwordless authentication solution makes it more difficult for attackers to bypass.
8. Use Phishing-Resistant Passwordless MFA
The single most effective method to strengthen your SSO’s security posture is to use phishing-resistant multi-factor authentication. One of the major Okta security issues is how easily attackers can phish, intercept or bypass MFA that uses SMS, OTPs or push notification. By removing passwords and phishable factors, and authenticating using biometric identifiers and public key infrastructure (PKI), you eliminate the potential for phishing, MFA bombing and man-in-the-middle attacks.
Make Your SSO More Secure With HYPR
Recent attacks emphasize that organizations need to thoroughly scrutinize the security of their Okta deployment. The best approach to strengthen the security of Okta and other SSO providers is to deploy a phishing-resistant passwordless MFA system. To learn more about what to look for in a passwordless solution read our Passwordless Security Evaluation Guide
HYPR works in conjunction with SSOs like Okta so your employees gain a consumer-like, frictionless experience and your organization gains the authentication security it needs. HYPR’s passwordless authentication solution integrates with all major SSO providers, creating a seamless desktop-to-cloud authentication flow. To see how HYPR can painlessly solve your Okta security issues, arrange a customized demo.