Okta is one of the most widely-used single sign-on (SSO) providers, making authentication more convenient for organizations and their users alike. We at HYPR use Okta. This convenience, however, comes at a price. Okta deployments are both highly targeted by and, as repeatedly demonstrated, highly vulnerable to attacks.
Perhaps the most notorious incident in recent years were the 0ktapus attacks. Over the course of several months, hackers were able to bypass Okta security processes to log into scores of corporate SSO instances, including Twilio, MailChimp and DoorDash. Okta customers were also the target of a string of social engineering attacks, where cybercriminals convinced IT help desk staff to reset MFA credentials of super admin accounts.
Okta's new passwordless authentication option, Fastpass, promises to mitigate these security weak points, but a recent analysis showed that it too can be bypassed. Moreover, most Fastpass implementations fall back to a password plus a less secure factor. While this helps minimize lockouts and disruptions, it opens another pathway in for attackers.
Okta provides its customers with multiple forms of authentication for services so that organizations can enforce MFA. The most widely used forms include temporary codes delivered over SMS through Twilio or via authenticator apps. However, as demonstrated time and again, even with these MFA options enabled, attackers can break in fairly easily, gaining wholesale access to connected accounts and applications. This is because the standard Okta security approach is predicated on shared secrets, which can be phished or intercepted through a number of different techniques.
In the case of the 0ktapus attacks, security researchers from Group-IB found that the threat campaign targeted employees of companies that use Okta SSO, sending them text messages containing links to phishing sites that spoofed the Okta login page of their organization. Many of the phone numbers were obtained from a previous successful hack of cloud communications provider Twilio, which itself was hacked using the same methods.
Upon entering their login details and 2FA code, the attacker performs a simultaneous login process on the actual Okta page, gaining a session token and access. From there, attackers have wide-ranging potential for further escalation.
Illustration of the 0ktapus attack flow
The IT service desk is another vulnerable point in most organizations. Without strong identity verification processes in place, fraudsters can impersonate legitimate employees to gain access. For example, they may claim they lost their phone and need to reset their multi-factor authentication factors. This is what happened to multiple Okta customers in an orchestrated social engineering campaign linked to the Scattered Spider threat group. Malicious actors phoned the company’s IT help desk and convinced staff to reset the MFA settings of highly privileged Okta platform admin accounts. They went on to use their privileged access to compromise other applications across victim organizations.
Scattered Spider help desk social engineering attack
These Okta security flaws show why more robust identity security protocols , that can resist phishing, interception and social engineering attacks, are necessary across all IAM procedures. Here we'll look at some actions you can take to strengthen Okta security in your organization.
Multi-factor authentication is enabled by default for admins under Okta security protocols and it should be the minimum authentication standard set for all users. As we’ve seen, however, traditional MFA can be easily breached, especially when phishable factors are used, such as passwords and one-time passwords (OTPs). SMS is particularly vulnerable — if traditional MFA is used, disable SMS as an option. Ideally you should deploy phishing-resistant MFA (see tip #6).
Regular reviews of what accounts have access to and strictly limiting admin-level powers to relevant users can reduce the impact of possible breaches. RBAC also sees account access checked and changed according to a user's current needs rather than maintaining past or previous access requirements. Keep the number of Super Admins — the highest level of admin privileges to an absolute minimum. This decreases the possibility of an attacker gaining access to these highly privileged accounts and causing even greater damage.
Enforcing stricter session lifetime rules on inactive sessions reduces the possibility of legitimate sessions being hijacked by attackers. This is especially important given that many employees now work outside the protected office environment.
Important activity on a user’s account, such as sign-ins from a new device or changes to factors used on an account, can be flagged through Okta security notifications. This way, notifications can be quickly escalated by the user or admin. Beware, however, that users can develop fatigue from the number of notifications they receive from various accounts, so they may not give them the attention they deserve.
One of the most effective methods of relieving pressure on Okta security is by completely removing the authentication burden from the SSO in the first place. SSOs are effective services for easing workflows and managing access to a user's suite of applications; however, this places a significant target on its back for attackers seeking access to those user privileges. Separating the authentication providers from SSO providers and using a more secure passwordless authentication solution makes it more difficult for attackers to bypass.
The single most effective method to strengthen your SSO’s security posture is to use IdP-agnostic, phishing-resistant, multi-factor authentication. One of the major Okta security issues is how easily attackers can phish, intercept or bypass MFA security that uses SMS, OTPs or push notification. By removing passwords and phishable factors, and authenticating using biometric identifiers and public key infrastructure (PKI), you eliminate the potential for phishing, MFA bombing and man-in-the-middle attacks.
Unfortunately, the more secure Okta options do not easily extend to desktop login, VPN access or remote situations. Specific employee groups, such as those working in clean rooms, on the factory floor or in the field may also have access and device limitations. Make sure you have identity security processes in place to cover all your use cases and user populations.
For most organizations, comprehensive identity verification is limited to specific points in time, such as employee onboarding. But there are other times when identity verification is equally critical, such as resetting a credential or registering a new device. The standard identity checks tend to be knowledge-based answers or calling the helpdesk — which, as evidenced, are prone to social engineering. Generative AI and deepfake technology have made these processes even more vulnerable to attack. Multi-layered, risk-based identity verification combines a series of factors such as location, behavior, document verification and face recognition so that you can be certain that an identity is genuine.
Recent attacks underscore the need for organizations to thoroughly scrutinize the security of their Okta deployment. The best approach to defend Okta and other SSO deployments is to integrate an end-to-end identity security system that strengthens the weakest and most vulnerable points.
HYPR, a trusted Okta partner, works in conjunction with Okta so your employees gain an optimized, frictionless experience and your organization gains a security-first identity strategy. HYPR integrates phishing-resistant passwordless authentication, adaptive risk mitigation, and automated identity verification to detect, prevent, and eliminate identity-related risks at every point in the identity lifecycle. It operates seamlessly with all major SSO providers, creating a single-action desktop-to-cloud authentication flow, with no password-based fallbacks.
Read more about the HYPR | Okta integration to learn how HYPR can painlessly solve your Okta security issues.
Editor's Note: This blog was originally published October 2022 and has been revamped and updated for accuracy and comprehensiveness.