Okta has thrown its weight behind the effort to help companies up their game when it comes to multi-factor authentication. One theme from the identity management vendor’s 2024 Oktane conference has been getting away from vulnerable MFA methods and implementations.
In particular, Okta wants to galvanize the industry around efforts to move from SMS message and push notifications to more secure methods that are less prone to phishing and social engineering attacks.
“We really want to bring people on that journey, get away from SMS and push notifications,” explained Charlotte Wylie, Okta deputy CSO. “We haven’t collectively in a unified way attacked this.”
Find all of our coverage from Oktane 2024 here.
Getting companies off of poor MFA practices has been a key part of Okta’s strategy with its IPSIE standard rollout. That effort will see Okta team up with OpenID foundation and a number of prominent vendors to develop an open standard of identity management for SaaS vendors to adopt.
“For developers and internal security teams, the adoption of IPSIE is going to be a game-changer,” Wylie predicted. "The how part is really the most difficult, working with SaaS providers to help and take the right steps. It needs to be a collective journey to adapt the standard so our customers can benefit wholly.”
Okta is not alone in wanting to move companies off of SMS and other flawed methods of MFA. Earlier this month the UK’s National Cyber Security Centre issued an advisory to companies advising they take a closer look at their MFA setup and consider moving on from methods that may be more prone to phishing and social engineering.
“Attackers have realized that many of the same social engineering techniques that tricked us into handing over passwords can also be updated to overcome some methods of MFA,” the NCSC said. “We have seen the success of attacks against MFA-protected accounts increasing over the past couple of years."
One solution put forward was better governance and verification of users and devices. Speaking at keynote addresses at Oktane, company execs made the case for checking and enforcing various policies around the device itself.
By constantly checking and enforcing security requirements for a device and spotting possible fraud or malware activity, companies can ensure that even if a user is connecting through their own devices, companies can be sure they are keeping their network insulated from bad actors.
