- The persistent phishing campaign that tricked some Okta customers into sharing their credentials with a threat actor on spoofed sites earlier this month lends further credence to the need for a passwordless future, according to Okta CEO and Co-Founder Todd McKinnon.
- “We need to move to having no password,” McKinnon said, describing it as Okta’s vision and a paramount need for its customers. Okta’s platform can help organizations meet that goal, but they have to apply the proper configurations, he said Wednesday on Okta’s earnings call for the fiscal second quarter, which ended July 31.
- Okta’s configurations allow customers to secure data and account access via passwords or a passwordless state without a log-in page or password. The more strict approach can also require employees to use a cryptographically verified work device to gain access, McKinnon said.
The security onus remains on Okta customers, according to McKinnon. The level of control and security measures imposed on employees that use Okta to access corporate accounts are determined by each customer’s configuration.
Baseline controls aren’t enough to thwart adversaries. Threat actors initiate phishing attacks against Okta often due to its scale, and customers that opt for less secure configurations are more susceptible to attack.
Organizations can benefit from an “unphishable configuration” of Okta, by doing away with all passwords and log-in pages, McKinnon said.
Threat actors behind the Oktapus campaign, an operation Okta prefers to call Scatter Swine, used text message phishing and fake Okta log-in sites to break into multiple organizations’ accounts. McKinnon said at least 130 Okta customers have been targeted.
Attackers phished for passwords and other less-secure means of Okta authentication such as one-time passwords and text message tokens to break into targeted organizations’ systems.
“The unique thing about this one is not that they targeted Okta customers, but that for a few customers it actually worked and they got in,” McKinnon said. “It usually doesn’t work, but this was a novel approach so it worked on a few customers.”
McKinnon said Okta needs to do a better job explaining how organizations can configure Okta accounts to balance their appetite for risks on a per-resource basis.