How to Improve Okta Security
More than 140 organizations took part recently breached using their Okta SSO credentials. Okta, one of the most used Single Sign-On (SSO) Provider, makes authentication in systems more convenient, but also, as these attacks show, just as vulnerable to attack. Hackers were able to bypass Okta security processes to log into numerous enterprise SSO instances.
Okta offers its customers multiple forms of authentication for services, including temporary codes sent via SMS through Twilio or via authenticator apps. Even with these “safer” MFA options enabled, determined attackers can break in fairly easily and gain broad access to connected accounts and applications.
There are steps you can take to mitigate Okta’s security weaknesses, but first it helps to understand what some of those weaknesses are.
How Attackers Breach Okta Security Defenses
The authentication methods used by Okta are inherently insecure as they rely on passwords and, for the MFA provided by Okta, one-time passwords. In other words, Okta’s entire approach to security is based on shared secrets of what’s possible phished or intercepted using a variety of techniques.
In the case of the recent Okta customer breaches, Group-IB security researchers analyzed the threat campaign, Sync it 0ktapus. 0ktapus targeted employees at companies using Okta SSO, sending them text messages with links to phishing sites that compromised their organization’s Okta login page. Many of the phone numbers were obtained from a previous successful one Hack of the cloud communication provider Twiliowhich was itself hacked using the same methods.
After entering the credentials and 2FA code, the attacker performs a concurrent login process on the actual Okta side and receives a session token and access. From there, attackers have far-reaching potential for further escalation.
Illustration of the 0ktapus attack flow
Tips for improving Okta security
These SSO and Okta vulnerabilities show why more robust authentication protocols that can resist phishing and eavesdropping attacks are required for all IAM practices. Here we look at some actions you can take to strengthen Okta security in your organization.
1. Enable at least MFA for all user accounts
Multi-factor authentication is enabled by default for admins under Okta security protocols and should be the minimum authentication standard for all users. However, as we have seen, traditional MFA can be easily breached, especially when using phishing factors such as passwords and One-time passwords (OTPs). SMS is particularly vulnerable – if using traditional MFA, disable SMS as an option. Ideally you should deploy Phishing-resistant MFA (see tip #8).
2. Use role-based access controls (RBAC)
Regular reviews of which accounts have access and strictly limiting admin-level powers to relevant users can mitigate the impact of potential violations. In addition, RBAC sees that account access is reviewed and modified according to a user’s current needs, rather than maintaining past or prior access requests.
3. Set session lifetime rules
Enforcing stricter session lifetime rules for idle sessions reduces the possibility of legitimate sessions being hijacked by attackers. This is particularly important as many employees now work outside of the secure office environment.
4. Check admin actions
Regular reviews of admin activity can uncover suspicious activity patterns and attackers in the system for potential ongoing or past Okta security breaches.
5. Limit super admins
Specific users can be assigned within Okta highest supervisor, the highest level of administrator rights. Keeping the number of super admins to an absolute minimum reduces the chances of an attacker gaining access to these highly privileged accounts and causing even more damage.
6. Enable user event notifications
Important activity on a user account, such as sign-ins from a new device or changes to factors used on an account, may be flagged by Okta security notifications. This allows notifications to be escalated quickly by the user or administrator. However, users can get tired of the number of notifications they receive from different accounts, so they might not give them the attention they deserve.
7. Decouple identity from authentication
One of the most effective ways to ease the pressure on Okta’s security is to completely remove the authentication burden from SSO in the first place. SSOs are effective services for simplifying workflows and managing access to a user’s suite of applications. However, this poses a significant target for attackers who want access to these user rights. Separating authentication providers from SSO providers and using a more secure passwordless authentication solution makes it harder for attackers to circumvent.
8. Use phishing-resistant passwordless MFA
The single most effective way to strengthen the security posture of your SSO is to use phishing-resistant multi-factor authentication. One of Okta’s key security concerns is how easily attackers can phish, intercept, or bypass MFA using SMS, OTPs, or push notifications. By removing passwords and phishing factors and authenticating with biometric identifiers and a public key infrastructure (PKI), you eliminate the potential for phishing, MFA bombing and Man-in-the-middle attacks.
Make your SSO more secure with HYPR
Recent attacks emphasize that organizations must thoroughly assess the security of their Okta deployment. The best approach to strengthening the security of Okta and other SSO providers is to deploy a phishing-resistant solution passwordless MFA System. To learn more about what to look for in a passwordless solution, read our Passwordless security assessment guide
HYPR works with SSOs like Okta to give your employees a consumer-like, frictionless experience and give your organization the authentication security it needs. HYPR’s passwordless authentication solution integrates with all major SSO providers, creating a seamless desktop-to-cloud authentication flow. To see how HYPR can easily solve your Okta security problems, arrange an individual demo.
*** This is a HYPR Blog Security Bloggers Network syndicated blog written by Michael Rothschild, VP of Product Marketing, HYPR. Read the original post at: https://blog.hypr.com/how-to-improve-okta-security