Okta’s failure tells the future of identity security in 2025

2025 needs to be the year that identity providers commit to improving every aspect of software quality and security. This includes red teaming while being more transparent about your apps and objectively understanding substandard results.

Anthropic, OpenAI, and other leading AI companies have taken red teaming to a new level and transformed their release processes for the better. Identity providers (including) Octawe should follow their lead and do the same.

Okta was one of the first identity management vendors we signed up with. CISA safe design I pledge, but they are still having trouble getting the authentication right. Recent advice from Okta Okta told customers that a 52-character username can be combined with a saved cache key to avoid having to enter a password to log in. Okta recommends that customers who meet the prerequisites examine Okta system logs for unexpected authentication from usernames longer than 52 characters. Characters from July 23, 2024 to October 30, 2024.

Okta points out that best in class record To implement multi-factor authentication (MFA) between both users and administrators in Workforce Identity Cloud. This is an important bet to protect today’s customers and makes sense to compete in this market.

google cloud announced Required multi-factor authentication (MFA) For everyone by 2025. microsoft We also made MFA mandatory for Azure starting in October of this year. “Starting in early 2025, we will begin gradually enforcing MFA during sign-ins for Azure CLI, Azure PowerShell, Azure mobile apps, and Infrastructure as Code (IaC) tools.” Recent blog posts.

Okta is making a difference with CISA’s Secure by Design

It is commendable that so many identity management vendors have signed the CISA Secure by Design pledge. Okta signed on in May of this year and committed to the initiative. 7 security goals. Okta continues to make progress, but challenges remain.

Pursuing standards while trying to ship new apps and platform components is difficult. Even more challenging is coordinating a diverse and fast-moving set of DevOps, software engineering, QA, red team, product management, and marketing personnel all to stay focused on the launch.

1. Not enough demands when it comes to MFA: Okta reports that MFA usage has increased significantly, with 91% of administrators and 66% of users currently using MFA. January 2024. On the other hand, more and more companies are mandating MFA without relying on MFA standards. Google and Microsoft’s mandatory MFA policies highlight the gap between Okta’s voluntary measures and the industry’s new security standards.

• Vulnerability management must be improved, starting with a solid commitment to red teaming. Okta’s bug bounty program and vulnerability disclosure policy are largely transparent. The challenge they face is that their approach to vulnerability management continues to be reactive and primarily dependent on external reporting. Okta should also invest more in red teaming to simulate real-world attacks and proactively identify vulnerabilities. Without red teaming, Okta risks certain attack vectors going undetected, potentially limiting its ability to respond early to emerging threats.

• Logging and monitoring enhancements need to move quickly. Okta is enhancing its logging and monitoring capabilities to improve security visibility, but many improvements remain incomplete as of October 2024. Key features such as real-time session tracking and robust auditing tools are still in development, hampering Okta’s ability to provide comprehensive real-time intrusion detection across the platform. These capabilities are critical to providing customers with immediate insight and response to potential security incidents.

Okta security failures demonstrate the need for more robust vulnerability management

Like all identity management providers, they must deal with attacks, intrusions, and breaches, but how Okta uses them as fuel to reinvent itself using CISA’s Secure by Design framework. It will be interesting to see what you do.

Okta’s failure provides strong evidence to scale vulnerability management efforts by taking red team lessons learned from Anthropic, OpenAI, and other AI providers and applying them to identity management.

Recent incidents Okta has experienced include:

• March 2021 – Verkada Camera Breach: Attackers gained access to over 150,000 security cameras and exposed critical network security vulnerabilities.
• January 2022 – LAPSUS$ Group Breach: The LAPSUS$ cybercriminal group exploited third-party access to infiltrate Okta’s environment.
• December 2022 – Source code theft: Attackers stole Okta’s source code and pointed out internal gaps in access control and code security practices. This breach highlighted the need for stricter internal controls and monitoring mechanisms to protect intellectual property.
• October 2023 – Customer Support Violation: Attackers compromised customer data for approximately 134 customers through Okta’s support channels, the company admitted in December 2019. October 20th, It all starts with stolen credentials. Used to access support management systems. From there, the attackers accessed the HTTP archive (.HAR) file containing the active session cookie and began compromising Okta customers, attempting to infiltrate the network and exfiltrate data.
• October 2024 – Username Authentication Bypass: A security flaw allowed unauthorized access by bypassing username-based authentication. This bypass highlighted weaknesses in product testing, as this vulnerability could have been identified and fixed through more thorough testing and red teaming practices.

Red team strategy for future-proof identity security

Okta and other identity management providers should consider ways to improve red teaming without relying on standards. Enterprise software companies don’t need better standards for red teaming, vulnerability management, or integrating security across the systems development lifecycle (SDLC).

Okta and other identity management vendors can improve their security posture by incorporating the following red team lessons from Anthropic and OpenAI and strengthening their security posture in the process.

When it comes to testing, intentionally create more continuous human-machine collaboration. Anthropic combines human expertise with AI-driven red teaming to uncover hidden risks. Okta can proactively identify and address vulnerabilities early in the product lifecycle by simulating various attack scenarios in real time.

We are committed to excelling in adaptive identity testing. OpenAI’s use of advanced identity verification techniques such as voice authentication and multimodal cross-validation to detect deepfakes could prompt Okta to adopt similar testing mechanisms. Adding adaptive identity testing techniques also helps Okta protect against increasingly sophisticated identity spoofing threats.

Keep your testing more focused by prioritizing specific domains for red teaming: Anthropic’s domain-focused testing shows the value of domain-specific red teaming. Okta could benefit from assigning dedicated teams to high-risk areas, such as third-party integrations and customer support, where subtle security gaps may go undetected.

More automated attack simulations are needed. Stress testing your identity management platform. OpenAI’s GPT-4o model continues with automated adversarial attacksConstantly pressure test your defense. Okta may also implement similar automation scenarios to enable rapid detection and response to new vulnerabilities, especially in the IPSIE framework.

Work to integrate more real-time threat intelligence: Real-time knowledge sharing within Anthropic’s Red Team increases red team responsiveness. Okta can incorporate real-time intelligence feedback loops into red team processes, so evolving threat data instantly informs defenses and accelerates response to emerging risks.

Why identity security will be a bigger challenge than ever in 2025

Adversaries are relentless in adding new automated weapons to their arsenals, and companies are struggling to keep up.

With identities being the primary target of most breaches, identity management providers must address this challenge head-on and strengthen security across all aspects of their products. That should include integrating security into the SDLC and helping DevOps teams become familiar with security. This ensures that it doesn’t become an afterthought that you rush to consider right before release.

CISA’s Secure by Design initiative is invaluable to any cybersecurity provider, especially identity management vendors. Okta’s Secure by Design experience helped us identify gaps in vulnerability management, logging, and monitoring. But Okta shouldn’t stop there. They need to take the lessons learned from Anthropic and OpenAI and commit to a new, more focused approach to red teaming.

Improving data accuracy, latency, and quality through red teaming is the driver software companies need to build a culture of continuous improvement. CISA’s Secure by Design is just a starting point, not a destination. Identity management vendors heading into 2025 need to understand their standards as a valuable framework to guide continuous improvement. Having an experienced and robust red team capability that can detect errors before they ship and simulate aggressive attacks from increasingly skilled and well-funded adversaries is the most valuable tool in an identity management provider’s arsenal. It’s one of your most powerful weapons. The Red Team is the core of remaining competitive while maintaining an equal fighting chance with the enemy.

Author’s note: Special thanks to Taryn Plumb for her help and contributions in gathering insights and data.