How Okta is fending off identity-based attacks

With more than 18,000 customers and an identity platform that performs billions of identity authentications a month for services such as ChatGPT, Okta has been on the frontline of password-spraying attacks that have intensified in recent years.

According to Okta CEO Todd McKinnon, one in two Okta customers has experienced password-spraying attacks, with the company blocking about two billion authentication requests per month from bots and the perpetrators behind the attacks.

“The vast majority of cyber attacks, at some point, go through identity,” McKinnon said. “The initial compromise might be a zero-day software vulnerability or some kind of malware, but eight out of 10 of them go through password spraying or a machine that compromises a privileged account. If we could stop all identity-based attacks, we could hinder most cyber attacks.”

In January 2024, Microsoft’s corporate email systems were attacked by a nation-state threat actor that used password spraying to gain access to some of the company’s source code repositories and internal systems.

Microsoft noted that the threat actor had increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February 2024, compared to the already large volume it saw earlier.

Okta has seen identity-related attacks on its own systems as well. “We’ve had our own breaches at Okta and we're not perfect by any means,” McKinnon said, adding that most recent identity-based attack on Okta occurred last October when a threat actor used a stolen credential to access the company’s support case management system.

Although Okta blocks most identity-related attacks today, that’s not good enough as the stakes of any breach are much higher given that the company has nearly one billion unique monthly users across its customer and workforce identity clouds.

“Whenever one attack gets through, we feel like we’ve failed,” he said, adding that the company has a “secure identity commitment” to help the industry prevent identity-based attacks, starting with bolstering the security of its corporate infrastructure.

For example, instead of allowing employees to use personal devices for work, every work device used by employees is now fully managed by Okta. “We did it before for convenience and user productivity, but we’re not making that trade-off anymore. Now, it’s all about prioritising cyber security,” McKinnon said.

The company has also tweaked its product roadmap to make sure its products are secure by default, going as far as halting product development for 90 days to get its product teams to focus on security and ensuring that default product configurations don’t expose customers to potential attacks.

For example, session tokens that provide proof of authentication for Okta’s administration console are now bound to their issuing network, preventing the tokens from being used elsewhere. “That took some engineering and change management with customers but it's a much more secure by default capability,” McKinnon said.

Okta is also introducing a new product that scans its customers’ internal environments and proactively notifies them about open accounts and identities that might be vulnerable. “It’s a new area for us and different than what we would do before, which was just to make sure that all your accounts at Okta were locked down.

“This was inspired by our own experience where there was an open Salesforce.com account that we didn't see, so we looked at how we could build a product to help mitigate that,” McKinnon said, adding that Okta is also working with other industry players to prioritise standards and capabilities that will protect against identity-based attacks.

Those efforts include championing the use of biometrics and passkeys for authentication across the industry – by providing tools to deploy phishing-resistant biometrics for employee identities without the use of passwords, as well as enabling developers to support passkeys in customer facing applications.

“Everyone’s known for a while that passwords aren’t the most secure, but what’s interesting is that the technologies are now coming together to make it practical to get rid of them,” McKinnon said.