Summary Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers. In this case, we have proactively notified the customers we identified that have this feature enabled, and...

Summary: Every customer using the Workforce Identity Cloud and Customer Identity Solution can now block access requests originating from anonymizing services prior to authentication. Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools. From March 18, 2024 through to...

In the modern digital landscape, where threats evolve and organizational perimeters extend into the cloud, maintaining a strong security posture requires more than static defense mechanisms. This is where the Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF) come into play. At the recent Gartner Identity & Access Management Summit in London , Apoorva Deshpande, Okta Engineering Lead, along with other OpenID Foundation SSF Working Group members, demonstrated...

Summary Okta has confirmed and remediated a reported Okta Verify vulnerability. No action is needed by customers, and outside of the original proof of concept Okta did not identify any evidence of attempts to exploit this vulnerability. As part of our recent Okta Secure Identity Commitment, we are communicating this remediation to customers in the spirit of transparency. Response On April 5th, Okta received a report from a researcher at Persistent Security of a potential vulnerability in...

Summary: The time and effort spent on defensive domain registration would be better invested in writing phishing-resistant authentication policies. Today I want to make the case that registering domains for the sole purpose of protecting against phishing is tackling the phishing problem from the wrong angle. It is, to use a very British idiom, a “mug’s game”: an effort that’s unlikely to yield much success. Most organizations register additional domains based on various permutations of their...