www.okta.com
Open in
urlscan Pro
2606:4700::6812:d469
Public Scan
Submitted URL: https://explore.okta.com/ODU1LVFBSC02OTkAAAGJp_mJcaySkNFdvr6rksJxGzrl_fkF3RAX2pRC5FX6z0fU5Q5leCXS2HtqMdvuoSqhzyVTBeE=
Effective URL: https://www.okta.com/blog/2022/09/okta-passkey-management-a-new-feature-flag/?utm_source=newsletter&utm_medium=email&...
Submission: On January 31 via api from US — Scanned from DE
Effective URL: https://www.okta.com/blog/2022/09/okta-passkey-management-a-new-feature-flag/?utm_source=newsletter&utm_medium=email&...
Submission: On January 31 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Okta
Looks like you have Javascript turned off! Please enable it to improve your
browsing experience.
Skip to main content
Workforce Identity Cloud Roadmap Webinar
Workforce Identity Cloud Roadmap Webinar
Register now!
Register now!
Register for the Workforce Identity Cloud Roadmap Webinar
+1 (800) 425-1267
Chat with Sales
Search
United States
* United Kingdom
* France
* Germany
* Japan
* Netherlands
* Australia
* Singapore
* Korea
* Sweden
* Customer Identity
* * * * Customer Identity Cloud
Secure your consumer and SaaS apps, while creating optimized
digital experiences. Innovate without compromise with Customer
Identity Cloud.
* Free trial
* Pricing
* Explore Customer Identity
* * Key Features
* Universal Login
* Single Sign On
* Attack Protection
* Organizations
* Passwordless
* See all features
* * Go Further
* Marketplace
* Developer Center
* Community
* Knowledge Base
* Status
* Workforce Identity
* * * * Workforce Identity Cloud
Connect and protect your employees, contractors, and business
partners with Identity-powered security. Empower agile workforces
and high-performing IT teams with Workforce Identity Cloud.
* Free trial
* Pricing
* Explore Workforce Identity
* * Key Features
* Single Sign On
* Adaptive MFA
* Lifecycle Management
* Workflows
* Identity Governance
* See all features
* * Go Further
* Okta Integrations Network
* Developer Center
* Community
* Knowledge Base
* Status
* Why Okta
* * * * Why Okta
Okta gives you a neutral, powerful and extensible platform that
puts identity at the heart of your stack. No matter what
industry, use case, or level of support you need, we’ve got you
covered.
* * Your Goals
* High-Performing IT
* Optimized Digital Experiences
* Identity-Powered Security
* Innovation Without Compromise
* Agile Workforces
* * Your Industry
* Public Sector
* Financial Services
* Retail
* Healthcare
* Travel & Hospitality
* Technology
* Energy
* Nonprofit
* * Ensuring Success
* Customer Success Stories
* Okta Advantage
* Transparency
* Trust
* Developers
* * * * For Developers
Start building with powerful and extensible out-of-the-box
features, plus thousands of integrations and customizations. Our
developer community is here for you.
* * Customer Identity Cloud
* Auth0 Marketplace
* Developer Center
* Community
* Knowledge Base
* Sign up at Auth0 by Okta
* * Workforce Identity Cloud
* Okta Integration Network
* Developer Center
* Community
* Knowledge Base
* Sign up with Okta
* Resources
* * * * Resources and Support
Here's everything you need to succeed with Okta. From
professional services to documentation, all via the latest
industry blogs, we've got you covered.
* * Resources
* Customer Case Studies
* Featured Resources
* Events
* Blog
* Press Room
* Analyst Research
* Datasheets
* Demo Library
* Videos
* Webinars
* Whitepapers
* * Customer Success
* Customer First Overview
* Okta Community
* Support Services
* Professional Services
* Training
* Certification
* Find a Partner
* * Support
* Help and Support
* Product Documentation
* Knowledge Base
* Frequently Asked Questions
* Contact Us
Free Trial
Contact Us
Login
Questions? Contact us: 1 (800) 425-1267
* Blog
OKTA PASSKEY MANAGEMENT: A NEW FEATURE FLAG
Mukul Hinge
Group Product Marketing Manager, Workforce Identity
September 22, 2022
Apple recently announced support for Multi Device FIDO credentials - also called
passkeys. Passkeys allow users a passwordless login to all of their iOS and
macOS devices. Passkeys provide a better user experience across websites and
apps, and enhance security by virtue of being a standards-based technology
that–unlike passwords–is resistant to phishing.They address two major pain
points and simplify them from an end user standpoint - account registration and
login. However, they can also introduce security risks for organizations that
rely on device-bound credentials. This post broadly covers how and why
authentication mechanisms have evolved to where they are today, how passkeys
work, what kinds of security issues some organizations might face with the
introduction of passkeys, and how Okta can help address these issues.
THE EVOLUTION OF AUTHENTICATION MECHANISMS
Organizations have historically relied on passwords–shared secrets for
authentication. To combat credential-related attacks and improve authentication
security, organizations started employing multi-factor
authentication–authentication using a combination of factors instead of just
one. You’ve probably experienced this in the form of an SMS based one-time
Password (OTP) that you were asked to enter after entering your password, or a
code you entered using an authenticator app.
These methods, while improving security, can severely affect user productivity
and are not phishing resistant. Additionally, many MFA authentication mechanisms
still rely on a password as one of the authentication factors, which still
creates a security vulnerability.
The recent phishing attacks on Uber, Twilio, and Cloudflare show that as
authentication mechanisms have evolved, so have the attack methods. A new and
worrying trend is the rise of one time password interception bots along with OTP
interception services for sale on the dark web, which specifically aim to
intercept TOTPs and use them along with the password in real time, for account
takeovers.
To address over-reliance on passwords and other such issues, the Fast Identity
Online (FIDO Alliance), an open industry association formed to help improve
authentication security and reduce the world’s over-reliance on passwords, began
publishing a set of specifications for passwordless and phishing-resistant
authentication.
Today, most major browsers have implemented or are implementing the finalized
WebAuthn specification, for the first time making a standardized,
web-integrated, phishing-resistant authentication mechanism broadly available to
relying parties and their users–without the need for special reader hardware, or
driver installation.
IMPACT ON 2FA AND BARRIERS TO ADOPTION
In theory, FIDO-based solutions can drastically increase the security of
consumer two-factor authentication by providing phishing resistance, regardless
of whether those use cases care about hardware-based sign-in credentials or not.
But two major problems have obstructed adoption:
1. Recovery issues: Credentials managed by those platform authenticators
(authenticators built into devices that the user already owned) are lost
when the user replaces or loses the device. Because of this, the user can’t
rely on platform authenticators when signing into a mission-critical
application for the first time from a brand new device). There is no
alternative to having to re-enroll each new device, no easy way to recover
from lost or stolen devices.
2. Reliance on hardware than can be easily lost or stolen: To ensure phishing
resistance, users need to carry around a secure hardware key that can be
used as a roaming authenticator–a cross-platform authenticator that can be
used to authenticate across multiple devices and is specifically designed to
be mobile.
WEBAUTHN–THE ENABLER FOR PASSKEYS AND PASSWORDLESS AUTHENTICATION
WebAuthn is a crucial enabler for secure, passwordless authentication. It stands
for Web Authentication API and is a specification written by the W3C and FIDO,
with the participation of Google, Mozilla, Microsoft, Yubico, and others.
WebAuthn allows servers to register and authenticate users using public key
cryptography instead of a password. It allows for web applications to simplify
and secure user authentication by using registered devices (phones, laptops,
etc) as authentication factors. You can read more about how WebAuthn works and
best practices recommended by Okta in a handy guide here: How WebAuthn Works.
MULTI-DEVICE FIDO CREDENTIALS (PASSKEYS) AND PASSWORDLESS AUTHENTICATION
Both of the gaps identified earlier in FIDO-based solutions are addressed with
multi-device FIDO credentials, also referred to as passkeys. A multi-device FIDO
credential is basically a FIDO credential that is backed up (usually to the
user’s platform account (e.g., Google Account or AppleID) in a manner that the
user is then able to restore the credential to, and use from, another device.
From a user experience standpoint, this will be similar to how one interacts
with a password manager today to help them securely enroll and sign into
websites from different devices– only it will be far more secure as the server
is issued a public key instead of a password. Furthermore, unlike a password
manager, there won’t be a need to actually create and save a password as an
authenticator–the device biometrics will be used instead. This makes mounting
attacks much harder and much more expensive and significantly changes the
economics of the attack for bad actors.
Passkeys are primarily meant to eliminate the single-device credential problem
that can be a usability nightmare. Passkeys allow the FIDO credential to roam
across multiple devices such as phones, tablets, or desktops, and even across
different platforms. (Note that Apple has announced support for these already
and Microsoft and Google are expected to follow soon.) Account recovery is no
longer a problem because credentials are now backed up centrally and can survive
the loss of their originating device. Multiple enrollments are not a pain for
the same reason. Furthermore, users no longer need to carry around a hardware
key and can fall back on their device biometrics for secure, phishing-resistant
authenticators.
POTENTIAL ENTERPRISE SECURITY CHALLENGES WITH PASSKEYS
The passkey solution to the usability issue of multi-device credentials can
create a security challenge for some enterprise organizations. Since credentials
are no longer device bound, users can enroll themselves using a managed device
but then access mission critical applications from an unmanaged and unmonitored
device that can create risks if that device is not bound by an organizational
security policy.
Enterprises may not be comfortable with this change in security assumptions
(platform authenticator keys being exportable from hardware), especially if they
previously allowed WebAuthn platform authenticators to meet all assurance
requirements for enterprise IdP or app sign-in.
Let's consider the example of Bob from Acme solutions. Bob joins Acme and is
issued a company MacBook and iPhone. Bob successfully enrolls using passkeys and
is now granted access to sensitive applications. The next week, Bob has urgent
travel lined up and decides to access these applications with his personal iPad
(an unmanaged device not issued by the company) while at the airport. Since
passkeys are not device bound, Bob can use his iPad and access these sensitive
applications. However, the iPad uses an older, vulnerable version of iOS and
does not conform to the security posture requirements of the org; this is a
serious security vulnerability. From an admin standpoint, this needs to be
addressed immediately.
Organizations need to think through this scenario and other such scenarios
resulting from allowing users like Bob to enroll passkeys, and plan their
security solutions stack and access policies accordingly.
OKTA PASSKEY MANAGEMENT FEATURES
To address this risky scenario, Okta is rolling out a Passkey Management feature
that allows admins to block passkeys for new enrollments at an organizational
level. This feature flag, when enabled by an administrator, will prohibit a user
from enrolling with a multi-device FIDO credential such as passkeys and preempt
any potential risks of unmanaged and insecure devices accessing sensitive
applications. Note that this does not affect existing enrollments, which will
continue to work according to their previous setup. We are working on enhancing
this feature so it can also be applied to application sign-on policies in the
future.
Admins can thus ensure that security policies are enforced on managed devices
only and address the risk of unmanaged and potentially compromised devices
accessing mission-critical applications and breaching sensitive data.
This Self Service feature flag is available in Okta Classic and Okta Identity
Engine and can be accessed from the Settings page in the Admin Dashboard.
For additional information on this feature and detailed instructions on how to
block or allow passkeys in your org, see WebAuthn (MFA) if you're using Okta
Classic Engine, or Configure a FIDO2 (WebAuthn) authenticator if you're using
Okta Identity Engine.
Mukul Hinge
Group Product Marketing Manager, Workforce Identity
Mukul is a full stack engineer turned Product Marketing Manager with fifteen
plus years of experience working with startups and enterprises in B2B and B2C
roles. His interest areas include identity and access management, application
security, endpoint security and intrusion detection.
TAGS
security FIDO Alliance FIDO2 MFA Multi-Factor Authentication Multi Factor
Authentication
Previous
Next
January 30, 2023
WHY OKTA IS PRIVACY-FORWARD
By Todd McKinnon
Last week Okta celebrated Data Privacy Week with a company-wide campaign to
reinforce employee awareness of the importance of respecting privacy and…
Read now
January 24, 2023
OKTA’S ENHANCED SMART CARD AUTH HELPS KEEP GOV RESOURCES SAFE
By Eric Wu
Nearly two decades ago, the U.S. Homeland Security Presidential Directive 12
(HSPD-12) established a new identity policy for federal employees and
contractors…
Read now
December 19, 2022
OKTA RELEASES 2022 STATE OF INCLUSION REPORT
By Madhavi Bhasin
Today, Okta released its third State of Inclusion report, our annual report that
brings accountability and transparency into our Diversity, Inclusion, and…
Read now
December 8, 2022
SUPPORTING MULTI-CLOUD IDENTITY ACROSS THE DEPARTMENT OF DEFENSE
By Rob Gil
The Pentagon on Wednesday announced Google, Oracle, Amazon, and Microsoft as the
awardees of the new cloud architecture called the Joint Warfighting Cloud…
Read now
November 28, 2022
AMAZON SECURITY LAKE AND OKTA MAKE DATA MORE ACCESSIBLE FOR INCREASED SECURITY
AND VISIBILITY
By Kapil Patil Ranjit Kalidasan
Today at AWS re:Invent in Las Vegas, AWS announced their Amazon Security Lake
which lets you build a security data lake from integrated cloud and on-premises…
Read now
To connect with a product expert today, use our chat box, email us, or call
+1-800-425-1267.
Contact Us
* YouTube
* Facebook
* Twitter
* LinkedIn
Footer Navtane22
* Company
* About Us
* Our Customers
* Leadership
* Investors
* Careers
* Events
* Press Room
* Partners
* Responsibility
* Okta for Good
* Diversity, Inclusion & Belonging
* Starting with Okta
* The Okta Advantage
* Customer Identity Cloud
* Workforce Identity Cloud
* Free Trial
* Pricing
* Contact Sales
* Trust
* Status
* Help & Support
* Help and Support
* Frequently Asked Questions
* Contact Us
Footer utility Navtane22
* Privacy Policy
* Site Terms
* Security
* Sitemap
* Cookies Settings
* Your Privacy Choices
Copyright © 2023 Okta. All rights reserved.
Footer utility Navtane22
* Privacy Policy
* Site Terms
* Security
* Sitemap
* Cookies Settings
* Your Privacy Choices
United States
* United Kingdom
* France
* Germany
* Japan
* Netherlands
* Australia
* Singapore
* Korea
* Sweden
We use cookies to ensure you get the best experience on our website, to help us
understand our marketing efforts, and to reach potential customers across the
web. You can learn more by viewing our privacy policy.
Cookies Settings Reject All Cookies Accept All Cookies
PRIVACY PREFERENCE CENTER
YOUR PRIVACY
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
* STRICTLY NECESSARY COOKIES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your
browser to block or alert you about these cookies, but some parts of the site
will not then work. These cookies do not store any personally identifiable
information.
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies
then some or all of these services may not function properly.
* TARGETING COOKIES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All Cookies