Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More
2025 needs to be the year identity providers go all in on improving every aspect of software quality and security, including red teaming while making their apps more transparent and getting objective about results beyond standards.
Anthropic, OpenAI and other leading AI companies have taken red teaming to a new level, revolutionizing their release processes for the better. Identity providers, including Okta, need to follow their lead and do the same.
While Okta is one of the first identity management vendors to sign up for CISA’s Secure by Design pledge, they’re still struggling to get authentication right. Okta’s recent advisory told customers that user names of 52 characters could be combined with stored cache keys, bypassing the need to provide a password to log in. Okta recommends that customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23, 2024, to October 30, 2024.
Okta points to its best-in-class record for the adoption of multi-factor authentication (MFA) among both users and administrators of Workforce Identity Cloud. That’s table stakes to protect customers today and a given to compete in this market.
Google Cloud announced mandatory multi-factor authentication (MFA) for all users by 2025. Microsoft has also made MFA required for Azure starting in October of this year. “Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence,” according to a recent blog post.
Okta is getting results with CISA’s Secure by Design
It’s commendable that so many identity management vendors have signed the CISA Secure by Design Pledge. Okta signed in May of this year, committing to the initiative’s seven security goals. While Okta continues to make progress, challenges persist.
Pursuing standards while attempting to ship new apps and platform components is challenging. More problematic still is keeping a diverse, fast-moving series of DevOps, software engineering, QA, red teams, product management and marketers all coordinated and focused on the launch.
Not being demanding enough when it comes to MFA: Okta has reported significant increases in MFA usage, with 91% of administrators and 66% of users using MFA as of Jan. 2024. Meanwhile, more companies are making MFA mandatory without relying on a standard for it. Google and Microsoft’s mandatory MFA policies highlight the gap between Okta’s voluntary measures and the industry’s new security standard.
Vulnerability Management needs to improve, starting with a solid commitment to red-teaming. Okta’s bug bounty program and vulnerability disclosure policy are, for the most part, transparent. The challenge they’re facing is that their approach to vulnerability management continues to be reactive, relying primarily on external reports. Okta also needs to invest more in red teaming to simulate real-world attacks and identify vulnerabilities preemptively. Without red teaming, Okta risks leaving specific attack vectors undetected, potentially limiting its ability to address emerging threats early.
Logging and monitoring enha …