An Unexpected Endorsement for WebAuthn
Okta Security endorses phishing resistant authentication at every opportunity.
We’ve long argued enrolling users in Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards, and enforcing phishing resistant authentication flows will:
- Protect users against real-time phishing proxies and other forms of session hijacking.
- Solve for far more attacks than simply adding Number Challenge to Push notifications to defeat MFA Fatigue.
- Offer detection opportunities via System Log and the automation of phishing remediation, identifying potential account takeovers and preventing future attacks in a few seconds.
- Provide a superior user experience, without any adverse impacts on enrolment duration or failure rates.
But don’t take our word for it.
The SMS below was recently sent by a prolific threat actor attempting to convince users at a large tech company to click through to a phishing kit:
That’s probably the best endorsement for enforcing phishing-resistant sign-in yet!
Enforcement is everything
Celebrity endorsements aside, this is a story about enforcement.
Step one to thwarting phishing attacks is to require users to enroll in strong authenticators. Users required to enroll in Okta FastPass or FIDO2 WebAuthn can authenticate to just about any app that requires two distinct factors. Independently, each of these two authenticators can each satisfy possession and inherence factors in 2-3 seconds.
But that’s not where the task ends.
As this crafty lure demonstrates, Step two is to enforce phishing resistance in policy, as seen in the screenshot below. Social engineers may otherwise convince users to accept a lower assurance authenticator (passwords, OTPs, push notifications), on the chance that those sign-in methods satisfy policy requirements.
This lure also demonstrates why a little redundancy can go a long way.
We recommend requiring users to enroll in both Okta FastPass and FIDO2 WebAuthn (rather than FastPass “or” FIDO2), as well as enforcing phishing resistance.
That might sound like overkill: both authenticators would prevent the user from compromise, and both can be configured to satisfy two factors in one gesture. So why have both enrolled?
If a threat actor did manage to convince a user to unplug their security key, the tricked user would still be able to sign-in to your organization using FastPass - just not via the attacker’s proxy! And as an added bonus, it may ease the pain on support teams if users are prone to misplacing their security keys.
The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.
Brett Winterford is the regional Chief Security Officer for Okta in the Asia Pacific and Japan.
He advises business and technology leaders on evolving threats and helps them harness advances in identity technology to drive business outcomes and mitigate risk.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.
Brett is also an award-winning journalist, having long ago been the editor-in-chief of iTnews Australia and a contributor to ZDNet, the Australian Financial Review and the Sydney Morning Herald. Most recently, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the Risky Business podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly brief of the news that shapes cyber policy.