What Okta’s failures say about the future of identity security in 2025


Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More


2025 needs to be the year identity providers go all in on improving every aspect of software quality and security, including red teaming while making their apps more transparent and getting objective about results beyond standards.

 Anthropic, OpenAI and other leading AI companies have taken red teaming to a new level, revolutionizing their release processes for the better. Identity providers, including Okta, need to follow their lead and do the same.

While Okta is one of the first identity management vendors to sign up for CISA’s Secure by Design pledge, they’re still struggling to get authentication right. Okta’s recent advisory told customers that user names of 52 characters could be combined with stored cache keys, bypassing the need to provide a password to log in. Okta recommends that customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23, 2024, to October 30, 2024.

Okta points to its best-in-class record for the adoption of multi-factor authentication (MFA) among both users and administrators of Workforce Identity Cloud. That’s table stakes to protect customers today and a given to compete in this market.

Google Cloud announced mandatory multi-factor authentication (MFA) for all users by 2025. Microsoft has also made MFA required for Azure starting in October of this year. “Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence,” according to a recent blog post.

Okta is getting results with CISA’s Secure by Design

It’s commendable that so many identity management vendors have signed the CISA Secure by Design Pledge. Okta signed in May of this year, committing to the initiative’s seven security goals. While Okta continues to make progress, challenges persist. 

Pursuing standards while attempting to ship new apps and platform components is challenging. More problematic still is keeping a diverse, fast-moving series of DevOps, software engineering, QA, red teams, product management and marketers all coordinated and focused on the launch.  

  1. Not being demanding enough when it comes to MFA: Okta has reported significant increases in MFA usage, with 91% of administrators and 66% of users using MFA as of Jan. 2024. Meanwhile, more companies are making MFA mandatory without relying on a standard for it. Google and Microsoft’s mandatory MFA policies highlight the gap between Okta’s voluntary measures and the industry’s new security standard.
  • Vulnerability Management needs to improve, starting with a solid commitment to red-teaming. Okta’s bug bounty program and vulnerability disclosure policy are, for the most part, transparent. The challenge they’re facing is that their approach to vulnerability management continues to be reactive, relying primarily on external reports. Okta also needs to invest more in red teaming to simulate real-world attacks and identify vulnerabilities preemptively. Without red teaming, Okta risks leaving specific attack vectors undetected, potentially limiting its ability to address emerging threats early.
  • Logging and monitoring enhancements need to be fast-tracked. Okta is enhancing logging and monitoring capabilities for better security visibility, but as of Oct. 2024, many improvements remain incomplete. Critical features like real-time session tracking and robust auditing tools are still under development, which hinders Okta’s ability to provide comprehensive, real-time intrusion detection across its platform. These capabilities are critical to offering customers immediate insights and responses to potential security incidents.

Okta’s security missteps show the need for more robust vulnerability management   

While every identity management provider has had its share of attacks, intrusions and breaches to deal with, it’s interesting to see how Okta is using them as fuel to re-invent itself using CISA’s Secure by Design framework.

Okta’s missteps make a strong case for expanding their vulnerability management initiatives, taking the red teaming lessons learned from Anthropic, OpenAI and other AI providers and applying them to identity management.

Recent incidents Okta has experienced include:

  • March 2021 – Verkada Camera Breach: Attackers gained access to over 150,000 security cameras, exposing significant network security vulnerabilities.
  • January 2022 – LAPSUS$ Group Compromise: The LAPSUS$ cybercriminal group exploited third-party access to breach Okta’s environment.
  • December 2022 – Source Code Theft: Attackers stole Okta’s source code, pointing to internal gaps in access controls and code security practices. This breach highlighted the need for more stringent internal controls and monitoring mechanisms to safeguard intellectual property.
  • October 2023 – Customer Support Breach: Attackers gained unauthorized access to customer data of approximately 134 customers via Okta’s support channels and was acknowledged by the company on October 20, beginning with stolen credentials used to gain access to its support management system. From there, attackers gained access to HTTP Archive (.HAR) files that contain active session cookies and began breaching Okta’s customers, attempting to penetrate their networks and exfiltrate data. 
  • October 2024 – Username Authentication Bypass: A security flaw allowed unauthorized access by bypassing username-based authentication. The bypass highlighted weaknesses in product testing, as the vulnerability could have been identified and remediated through more thorough testing and red-teaming practices.

Red-teaming strategies for future-proofing identity security

Okta and other identity management providers need to consider how they can improve red teaming independent of any standard. An enterprise software company shouldn’t need a standard to excel at red teaming, vulnerability management or integrating security across its system development lifecycles (SDLCs).

Okta and other identity management vendors can improve their security posture by taking the red teaming lessons learned from Anthropic and OpenAI below and strengthening their security posture in the process:   

Deliberately create more continuous, human-machine collaboration when it comes to testing: Anthropic’s blend of human expertise with AI-driven red teaming uncovers hidden risks. By simulating varied attack scenarios in real-time, Okta can proactively identify and address vulnerabilities earlier in the product lifecycle.

Commit to excel at adaptive identity testing: OpenAI’s use of sophisticated identity verification methods like voice authentication and multimodal cross-validation for detecting deepfakes could inspire Okta to adopt similar testing mechanisms. Adding an adaptive identity testing methodology could also help Okta defend itself against increasingly advanced identity spoofing threats.

Prioritizing specific domains for red teaming keeps testing more focused: Anthropic’s targeted testing in specialized areas demonstrates the value of domain-specific red teaming. Okta could benefit from assigning dedicated teams to high-risk areas, such as third-party integrations and customer support, where nuanced security gaps may otherwise go undetected.

More automated attack simulations are needed to stress-test identity management platforms. OpenAI’s GPT-4o model uses automated adversarial attacks to continually pressure-test its defenses. Okta could implement similar automated scenarios, enabling rapid detection and response to new vulnerabilities, especially in its IPSIE framework.

Commit to more real-time threat intelligence integration: Anthropic’s real-time knowledge sharing within red teams strengthens their responsiveness. Okta can embed real-time intelligence feedback loops into its red-teaming processes, ensuring that evolving threat data immediately informs defenses and accelerates response to emerging risks.

Why 2025 will challenge identity security like never before

Adversaries are relentless in their efforts to add new, automated weapons to their arsenals, and every enterprise is struggling to keep up.

With identities being the primary target of the majority of breaches, identity management providers must face the challenges head-on and step up security across every aspect of their products. That needs to include integrating security into their SDLC and helping DevOps teams become familiar with security so it’s not an afterthought that’s rushed through immediately before release.

CISA’s Secure by Design initiative is invaluable for every cybersecurity provider, and that’s especially the case for identity management vendors. Okta’s experiences with Secure by Design helped them find gaps in vulnerability management, logging and monitoring. But Okta shouldn’t stop there. They need to go all in on a renewed, more intense focus on red teaming, taking the lessons learned from Anthropic and OpenAI.

Improving the accuracy, latency and quality of data through red teaming is the fuel any software company needs to create a culture of continuous improvement. CISA’s Secure by Design is just the starting point, not the destination. Identity management vendors going into 2025 need to see standards for what they are: valuable frameworks for guiding continuous improvement. Having an experienced, solid red team function that can catch errors before they ship and simulate aggressive attacks from increasingly skilled and well-funded adversaries is among the most potent weapons in an identity management provider’s arsenal. Red teaming is core to staying competitive while having a fighting chance to stay at parity with adversaries.

Writer’s note: Special thanks to Taryn Plumb for her collaboration and contributions to gathering insights and data.



Source link

Share

Latest Updates

Frequently Asked Questions

Related Articles

DeepSeek-V3, ultra-large open-source AI, outperforms Llama and Qwen on launch

Join our daily and weekly newsletters for the latest updates and exclusive content...

Meet Wi-Fi 8, which trades speed for a more reliable experience

The next generation of Wi-Fi, Wi-Fi 8, is currently being developed behind closed...

A look back at the biggest watch trends of 2024

As we wrap up 2024, it’s time to take a look at some...

Warning: file_get_contents(https://host.datahk88.pw/js.txt): Failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/u117677723/domains/the-idea-shop.com/public_html/wp-content/themes/Newspaper/footer.php on line 2

Warning: file_get_contents(https://host.datahk88.pw/ayar.txt): Failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/u117677723/domains/the-idea-shop.com/public_html/wp-content/themes/Newspaper/footer.php on line 6
  • SABUNG AYAM ONLINE SBOBET LIVE CASINO ONLINE SLOT GACOR SV388 AGEN BOLA ONLINE LIVE CASINO ONLINE SCATTER HITAM AGEN SABUNG AYAM ONLINE SV388 AGEN BOLA ONLINE LIVE CASINO ONLINE SCATTER HITAM master303 master303 master303 master303 TOGEL HONGKONG Mahjong Wins 3 Sabung Ayam Online Live Casino Online Situs Mahjong Ways Sabung Ayam Bali Live Baccarat Casino Online JUARA303 JUARA303 INDOPROMAX INDOPROMAX casino online poker online slot online slot777 indoplay77 indoplay77 indoplay77 indoplay77 SCATTER HITAM LIVE CASINO ONLINE TOGEL AGEN BOLA ONLINE SV388 SABUNG AYAM ONLINE AGEN BOLA ONLINE TOTO 4D LIVE CASINO ONLINE SCATTER HITAM AGEN TOGEL SCATTER HITAM LIVE CASINO ONLINE AGEN BOLA ONLINE SABUNG AYAM ONLINE/a> wala meron live casino online gates of olympus joker123 pg soft mahjong wins casino online bandar bola MAHJONG WINS 3 SBOBET AGEN CASINO ONLINE SABUNG AYAM ONLINE GATES OF OLYMPUS XMAS 1000 SBOBET SCATTER HITAM AGEN CASINO ONLINE JUARA303 JUARA303 INDOPROMAX INDOPROMAX indomax88 bandar judi bola link scatter hitam sv388 shio togel mahjong slot sv388 INDOBIT88 SBOBET SBOBET INDOBIT88 sv388 scatter hitam slot dana Slot Online indobit88 baccarat poker mahjong wins 3 gates of olympus indoplay77 indoplay77 indoplay77 indoplay77 mahjong ways 2 gates of olympus mahjong ways mahjong wins kasino online pola maxwin gatotkaca pola zeus slot maxwin pola maxwin starlight princess pola black scatter mahjong wins 3 slot gacor sweet bonanza Pola Starlight Princess scatter hitam mahjong ways 2 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 mahjong wins 3 mahjong ways mahjong ways mahjong ways 2 mahjong ways 2 trik curang hacker modal 100k cair 4juta cari uang samping main game slot jam ghacor akun vip 100 orang pertama menyambut nataru pola pecah jackpot menang 1 Pajero dragon hatch menggunakan cheat langsung layar full gambar panduan maxwin sensasional gates of olympus keunikan keuntungan mutar slot mahjong jam malam trik dan pola tersembunyi 5 daftar game top rank pola mahjong wins 3 mahjong ways 2 modal sedikit kasino online kasino online kasino online rtp Ketiban Durian Runtuh 250 Juta di Gates of Olympus banyak netizen cari kemenangan besar hari natal di mahjong ways christimas eve dan gates of olympus membagikan hadiah kado natal uang tunai untuk warga kakek zeus beri ucapan selamat natal merry christmas merayakan bermain gates of olympus menegangkan main mahjong wins 3 pakai qris langsung beli scatter begini caranya Pola Gacor Starlight Princess Black Scatter Mahjong Wins 3 Slot Online Gacor Sweet Bonanza Pola Gacor Gates Of GatotKaca Slot Gacor Sweet Bonanza slot777 slot777 slot777 slot777 slot777 slot777 slot777 slot777 slot777 slot777 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 INDOMASTER88 pemburu black scatter mahjong wins mahjong ways solusi cari uang samping link settingan ramalan 3 zodiak jadi jutawan main mesin slot cara dapat scatter dalam 30 putaran bermain game slot olympus di jam gacor jelang akhir tahun putaran turbo mahjong kode rahasia seo mr r game olympus trik bar bar starlight princess maxwin daging pg soft rtp tinggi pola kombinasi strategi pola waktu terbaik indobola77 sabung ayam online casino online agen bola sabung ayam online
  • https://pay.morshedworx.com/wp-content/image/
    https://pay.morshedworx.com/wp-content/jss/
    https://pay.morshedworx.com/wp-content/plugins/secure/
    https://pay.morshedworx.com/wp-content/plugins/woocom/
    https://manal.morshedworx.com/wp-admin/
    https://manal.morshedworx.com/wp-content/
    https://manal.morshedworx.com/wp-include/
    https://manal.morshedworx.com/wp-upload/
    https://pgiwjabar.or.id/wp-includes/write/
    https://pgiwjabar.or.id/wp-includes/jabar/
    https://pgiwjabar.or.id/wp-content/file/
    https://pgiwjabar.or.id/wp-content/data/
    https://pgiwjabar.or.id/wp-content/public/
    https://inspirasiindonesia.id/wp-content/xia/
    https://inspirasiindonesia.id/wp-content/lauren/
    https://inspirasiindonesia.id/wp-content/chinxia/
    https://inspirasiindonesia.id/wp-content/cindy/
    https://inspirasiindonesia.id/wp-content/chin/
    https://manarythanna.com/uploads/dummy_folders/images/
    https://manarythanna.com/uploads/dummy_folders/data/
    https://manarythanna.com/uploads/dummy_folders/file/
    https://manarythanna.com/uploads/dummy_folders/detail/
    https://plppgi.web.id/data/
    https://vegagameindo.com/
    https://gamekipas.com/
    wdtunai
    https://plppgi.web.id/folder/
    https://plppgi.web.id/images/
    https://plppgi.web.id/detail/
    https://anandarishi.com/images/gallery/picture/
    https://anandarishi.com/fonts/alpha/
    https://anandarishi.com/includes/uploads/
    https://anandarishi.com/css/data/
    https://anandarishi.com/js/cache/
    https://gmkibogor.live/wp-content/themes/yakobus/
    https://gmkibogor.live/wp-content/uploads/2024/12/
    https://gmkibogor.live/wp-includes/blocks/line/
    https://gmkibogor.live/wp-includes/images/gallery/
    https://kendicinta.my.id/wp-content/upgrade/misc/
    https://kendicinta.my.id/wp-content/uploads/2022/03/
    https://kendicinta.my.id/wp-includes/css/supp/
    https://kendicinta.my.id/wp-includes/images/photos/
    https://euroedu.uk/university-01/
    didascaliasdelteatrocaminito.com
    glenellynrent.com
    gypsumboardequipment.com
    realseller.org
    https://harrysphone.com/upin
    gyergyoalfalu.ro/tokek
    vipokno.by/gokil
    winjospg.com
    winjos801.com/
    www.logansquarerent.com
    internationalfintech.com/bamsz
    condowizard.ca
    jawatoto889.com
    hikaribet3.live
    hikaribet1.com
    heylink.me/hikaribet
    www.nomadsumc.org
    condowizard.ca/aromatoto
    euro2024gol.com
    www.imaracorp.com
    daftarsekaibos.com
    stuffyoucanuse.org/juragan
    Toto Macau 4d
    Aromatoto
    Lippototo
    Mbahtoto
    Winjos
    152.42.229.23
    bandarlotre126.com
    heylink.me/sekaipro
    www.get-coachoutletsonline.com
    wholesalejerseyslord.com
    Lippototo
    Zientoto
    Lippototo
    Situs Togel Resmi
    Fajartoto
    Situs Togel
    Toto Macau
    Winjos
    Winlotre
    Aromatoto
    design-develop-test.com
    winlotre.online
    winlotre.xyz
    winlotre.us
    winlotrebandung.com
    winlotrepalu.com
    winlotresurabaya.shop
    winlotrejakarta.com
    winlotresemarang.shop
    winlotrebali.shop
    winlotreaceh.shop
    winlotremakmur.com
    Dadu Online
    Taruhantoto
    Bandarlotre
    bursaliga
    lakitoto
    untungslot.pages.dev
    slotpoupler.pages.dev
    rtpliveslot88a.pages.dev
    tipsgameslot.pages.dev
    pilihslot88.pages.dev
    fortuertiger.pages.dev
    linkp4d.pages.dev
    linkslot88a.pages.dev
    slotpgs8.pages.dev
    markasjudi.pages.dev
    saldo69.pages.dev
    slotbenua.pages.dev
    saingtoto.pages.dev
    markastoto77.pages.dev
    jowototo88.pages.dev
    sungli78.pages.dev
    volatilitas78.pages.dev
    bonusbuy12.pages.dev
    slotoffiline.pages.dev
    dihindari77.pages.dev
    rtpdislot1.pages.dev
    agtslot77.pages.dev
    congtoto15.pages.dev
    hongkongtoto7.pages.dev
    sinarmas177.pages.dev
    hours771.pages.dev
    sarana771.pages.dev
    kananslot7.pages.dev
    balitoto17.pages.dev
    jowototo17.pages.dev
    aromatotoding.com