I really don’t understand why a big company would continue to trust Okta with the most critical parts of their security infrastructure (identity) after multiple huge security breaches. And not just breaches, but ones where the company appears to be dishonest (or at least not very forthcoming) in their responses to those breaches, where they attempt to minimize the severity and their own culpability. Why not just use Microsoft or Google for this, which seem to have better recent security track records and certainly more overall security capabilities? How is Okta still a $10b+ market cap company? I don’t get it.
I'm currently implementing some OAuth stuff and reading a lot of RFCs and specifications. Came across this gem which really made me think "I bet I would come to regret writing that one"
How does OpenID Connect improve security
Public-key-encryption-based authentication frameworks like OpenID Connect (and its predecessors) globally increase the security of the whole Internet by putting the responsibility for user identity verification in the hands of the most expert service providers.
...
I have influence on buying a product like Okta and they’re scaring me away because they… appear to have lower security standards than myself? I don’t sign the dotted line but I could probably veto Okta.
I have this idea in my head that a cybersecurity company should have more resources than I have to keep things locked up right as a drum? Appearantly not, Okta thinks they can run their company like they’re a school district or startup and thinks they aren’t risking killing the golden goose? One error they made could have been prevented by applying a security standard to Google Chrome… that’s not hard to do or very sophisticated even.
A lot of companies are locked in from before the incompetence started showing. They're really pushing up against that line where it's worth it for people to move away, though.
Okta has tie-ins with a bunch of different systems that won't interop normally, right? I think that's a big part of it. Who wants to do their own SAML integration or whatever.
The switching costs are immense because you often need to weave their identity stack into all the software you write to allow for single sign on. These companies can milk their customers dry because their customers allow these providers to hold a gun to their head. You can sell a company like this to Broadcom and make megabucks as companies take 5 years to switch away.
We need the non profit idp equivalent of Lets Encrypt for this function. Otherwise, the cycle continues (accumulate customers, sell out, shareholders squeeze the customer base, customers churn to new orgs, etc).
The best bet for that right now is something like Keycloak.
There are a multitude of challenges in running any non-profit, but one that provides higher-touch services like an IdP to other businesses has some particular challenges. With something like Let’s Encrypt, there exists a single set of standards being implemented, and if you don’t like those standards and the way they’re implemented you walk away.
With an IdP, there is a huge amount of ongoing support you have to provide to users. “Why is the ‘aud’ attribute not making it through to this one application?” “Why did my directory sync suddenly stop working and the logs are blank?” and so on.
You would end up effectively needing to run a privately funded foundation, and that would require the political desire within businesses to fund and operate it.
Having dipped my toe in some of this stuff I think it absolutely sounds like a ten-billion dollar proposition to offer a turnkey solution to the problem.
That's why there are dozens of startups in the auth space.
Turnkey is harder than you think, though, because authentication, while undifferentiated in general, does get tied up in business logic. A multi-tenant B2C SaaS has different needs than B2B on-prem deployed software, to name just two use cases.
The department that controls changes to this is IT in most companies. Also in most companies, asking IT for anything is the equivalent of writing your requests and pressing delete instead of send. In any big enough company where using Okta makes sense in the first place, the likelihood of decisions being made to minimize bureaucracy or make use of some enterprise discount is way bigger than the decision being made on factors that actually matter like actual security.
Its politics. Good luck trying to convince someone in larg corp they don't need Oracle with other open source databases out there. There is just too many people in line on both sides that job and salary and bonuses depends on the deals to continue, no matter how terrible, expensive, or useless they are.
So the person who recommended using Okta after a big process is now too embarrased to admit that they were wrong? Isn't it even worse to stay on a sinking ship?
OTOH, I personally freely and quickly admit when I'm wrong or have screwed up. It's been one of the things that has increased my professional success, because it's an indicator that I'm trustworthy.
One world is based on skill, facts and deliverables. That's the world you're talking about.
Another one is based on bullshit, nepotism and politics. That's the world in which Okta thrives, alongside large consultancies, etc.
Unfortunately your success in the first world doesn't really negate that the second world is also very lucrative, and might be easier to succeed in as long as you don't have much morals.
Large corps have site licenses and support, so an additional Oracle instance has minimal cost. Corps that pay by CPU typically will consider alternatives.
> I really don’t understand why a big company would continue to trust Okta with the most critical parts of their security infrastructure (identity) after multiple huge security breaches
Who will they replace Okta with? Everyone in security space worth mentioning has been breached - including nation-state agencies.
> Why not just use Microsoft or Google for this...
Didn't Microsoft recently have an egregious security lapse on Azure?
Okta gets breached because they forget to harden chrome at all so somebody logs on with their personal account and then the password gets exfiltrated and their employees personal computer gets hacked so Okta gets hacked.
When I read through the details of Microsoft's hacks, it will be talking about some obscure exploit against the security professional that had a background check done of them who uses hardened locked down secure access workstation to do their tasks
There is a difference in the degree of egregiousness. I doubt the average business has better security practices than Microsoft, whereas I'd be pretty confident saying many businesses have better security practices than Okta. What shocks me about Okta's breaches is how easy they would be to prevent from happening if Okta cared just a little.
Can you elaborate further on what some of the shortcomings of Google Identity Platform are? Cognito is abandonware, Auth0 and Okta are too expensive, and keycloak requires self-hosting. Google Identity Platform seemed like a decent option.
I was referring from a technical perspective. I agree they have a branding/marketing issue.
I did consult other groups using Google Identity Platform at our company and some things came up:
* SMS / email templates not customizable
* Undocumented user auth rate limiting with hacky workarounds
Otherwise our devs have been quite happy with it. I've primarily settled on it because it already has approval at our org, it's simple, and fairly well documented - especially compared to something like Cognito.
At this point it might be time to stop using the service handling your company's auth, which is supposed to be the most secure link in the chain, yet is being hacked every quarter.
Remember RSA and OPM? The RSA hack had huge implications for the Department of Defense, and was probably a state-sponsored hack (likely China). Around the same time the Office of Personnel Management (OPM) was hacked. So the state-sponsored hackers got to all the private details of anyone with classified access and clearances (which can be used for blackmail or for answering those strange "Who was your 3rd grade teacher?" auth questions to get past an identity test), and simultaneously could hack the rotating MFA codes from RSA.
Auth companies will always be a high value target for state-sponsored espionage.
Fields which may facilitate security questions such as those you quote are explicitly not included in the report run by the 'threat actor'. In fact "for 99.6% of users in the report, the only contact information recorded is full name and email address."[1]
"For 99.6% of users in the report, the only contact information recorded is full name and email address."
I can see the retraction already: "We have run a fully unfiltered scan, as opposed to a regular unfiltered scan, and it turns out we released the full age, name, address, and DNA sequence of every customer support user."
Remember, they have to wait until there is literally not chance of the victims mitigating the issue, because releasing the info in a timely manner may affect the next quarter's numbers and the sole consequence will be a fine, paid with other people's money.
Names and email addresses of people likely to be an Okta admin or superadmin in your org....aka a curated target list for your next spear phishing campaign
A widespread problem I've been wondering about, not specific to Okta...
When an established company -- with something to lose; not a disposable serial startup -- outsources some IT function to a SaaS/PaaS/vendor that exhibits a pattern of problems, and then the company then gets bit by such a problem, how often does the company actually care?
Does the CTO or CISO take a hit? Do the CEO and board even know that it was a bad selection from the start?
Does the company just want to be able to say it was a "partner" who was at fault (even if the company was negligent in trusting that partner)?
The other comments about blame outsourcing are absolutely on point, but another reason is that we've done a great job of breeding an engineering culture where anything beyond gluing some overpriced AWS services together is considered too complicated and an absolute no-no to do in-house and should instead be outsourced to "experts" like Okta who are supposedly gods and the only ones allowed to do the stuff.
Every time you suggest anything remotely complicated (that your average sysadmin could and did run a decade ago without making a fuss about it) such as running Keycloak or other $ON_PREM_SOFTWARE_PACKAGE is immediately met with lots of hostility. Of course the cloud companies and other SaaS vendors love this.
It's quite puzzling - one one hand it's encouraged to build overcomplicated FAANG-wannabe engineering playgrounds full of microservices, yet a fairly mundane task of "run this self-contained piece of open-source software, monitor logs and apply reasonable security principles" (that every company did till a decade ago) is now considered out of range of mere mortals.
Part of what the enterprise is buying is someone to blame. Same can be said for consultancies, outsourcing etc. It is a very real part of the politics of decision making at large orgs.
Same here. The client/EndUser gives 2 entire shits about the source of the problem. What they care about is "Why isn't this working and what is this gibberish on my screen" and rightly so.
I'd say that more often than not C-Levels only take a hit if the bottom line is impaired, otherwise (like just some temporary heat from bad PR) it's business as usual.
On one hand, the market seems to react to these appropriately. On another hand, the market has a short-term memory and prices go back up.
It's unfortunate Auth0 was acquired by them. Have used it from the beginning and it used to be a great product before the Okta acq. Now it's just constant sales emails, expensive pricing, not much new feature launches, most features are very enterprise focused, bunch of bugs, frequent outages.
Stock 41% up in the last 12 months is not appropriate.. it basically signals, "buy at a huge discount after each incident, we'll keep it rising regardless".
At this point, one could speculate they are not worth almost at all given they fail to deliver on their primary value proposition. They are not and have not been profitable either, only getting worse: https://finance.yahoo.com/quote/OKTA/financials?p=OKTA
This sort of business doesn’t have to immediately realize a profit they just have to expand their base of customer and dig their claws deeper into their customers core infrastructure. Once they do that they can exploit their customers for years before they’l be able to escape. Since they are frequently going to be competing in “lowest bidder wins” competitions they’re be foolhardy to try and make a profit up front honestly, counter-intuitively it would be lighting money on fire. This is also a product with pretty substantial benefits from scale, as Okta gets bigger more things integrate with them so they’re easy to integrate with so they get bigger…
I’m just wondering who in the industry is still stupid enough to stick their neck out for Okta? Why are they getting new customers? Why not go with the other devil you know your cloud provider to offer mostly the same services? What is Okta offering when they seem relatively incompetent compared to the competition that often offers their products for cheaper up front?
When you're evaluating solutions make sure to look into Authentik too. For my small company needs it was much much easier to understand and setup and it's only gotten better and more featureful.
Authentik takes a little more to set up than KeyCloak, but the effort is well worth it when you go to configure TOTP. Authentik 2FA UX can be quite easy, similar to commercial products.
There are plenty of valid concerns around self-hosting it, but I fear for the future of our profession if things like DNS, TLS certificates and backing up a database on a schedule are now considered hard.
It's so strange to me that Okta have retained their CSO. None of the recent breaches seem particularly egregious in isolation, but the pattern around bungled communication and failed follow-up investigations is comical.
January, and since it looks very similar to the more recent one (customer support breach), there seems to be a high chance that it's THE SAME, ongoing since at least that time.
What blows my mind is that they've somehow managed to turn relatively minor incidents that aren't even compromises to their core systems into top-of-the-news-cycle meltdowns.
The Lapsus$ compromise in 2022 was a third-party IT subcontractor getting their spy-on-the-employees RDP popped, and then Lapsus$ using incredibly limited access to the Okta admin tool to take some screenshots of support dashboards. Honestly it could have been spun into a "hey, our defense in depth pretty much worked!" story.
Then, the most recent issue was an employee's third-party password manager getting compromised, allowing an attacker to log in to the support ticket tracker, which happened to contain HAR files with creds in them as well as details on support contacts. I bet a lot of enterprises are vulnerable to this, the HAR file thing is actually a great lesson in a highly unexpected threat vector. But somehow Okta have managed to turn it into a months-long top-of-the-news cycle incident, first by denying the compromise happened at all and then by underplaying the access the threat actor had to the support ticket tracker.
It's the same reason most news stories are shit today. They aren't about conveying information or educating anyone about events in the world.
They are clickbait garbage, meant solely to drive traffic in for Ad revenue and in recent history, they are slanted based on a bias that the owner wants, not any sort of factual, unbiased reporting that one may have erroneously expected from the 4th Estate.
That about sums it up. Journalists either washing the dirty laundry of trillion dollar companies or peddling their product launches for the off-chance of a special scoop in the future. The big sites are definitely no more than this, with very few exceptions for opinion pieces, but even those are heavily being guard-railed against all the “politically correct” nonsense.
I did not realize it was a $6 billion/6000 person public company. Their product is single sign-on services & they’ve got this bad of a track record? I guess I shouldn’t be surprised anymore
If you happen to be operating a Jira based support desk and want to reduce the risk of leaking customer data via HAR files, I took the HAR Scrubber that Cloudflare made and built a Jira plugin out of it:
Unfortunately, this scrubber would be problematic for Okta staff (or staff for any other authentication provider support team) because when someone is having issues with logging in, you need to examine Authorization and other authentication headers and data.
So I think the best course is to:
* caution users to not send production data, but rather to set up a test system and share the HAR file from that
* make sure you do defense in depth and lock down access to support tickets
This could be potentially really dangerous. Most Okta customers who would use support would be IT admins. This is a pretty good list to start social engineering to get more information from other customers just by calling or emailing IT members impersonating corporate end users.
What is a good, alternative, external authentication solution outisde of Okta and their auth0 product, then? I was looking to use their product because I have trusted their ability to manage authentication.
Check out ZITADEL— It fuses the best features of Auth0 and Keycloak into a more modern, innovative package. (full disclosure, I'm part of the team)
It's an open-source IAM solution. It offers a cloud-based SaaS option and can also be downloaded for self-hosting. You can try the hosted cloud version for free - https://zitadel.com/signin
It provides:
- authentication and authorization capabilities (including SSO, IdP Federation)
- auditing
- custom extensions
- support for standards such as OIDC/OAuth/SAML/LDAP
- full API support
- various authorization strategies, including Role-Based Access Control (RBAC) and Delegated Access, making it a great choice for both B2C and B2B scenarios.
It mostly aims to ensure ease of operation and scalability (users love the simplicity). The community and team actively contribute towards development and support.
Authentik is easiest to self host and give you everything you would expect in an premium offering, it's opensource and just need a single docker compose command to up and running.
https://goauthentik.io/
(former Userify CEO, so probably a bit biased, but we only focus on SSH/sudo, so not too much overlap)
I agree completely, except with the obvious stipulation that Google seems to be only SaaS and thus extremely high-value target, but Google's security has always been top notch and you can tell they actually care.
Ping Identity seems to be doing pretty well (now owned by Thoma Bravo) and haven't heard of any publicly disclosed leaks.
LastPass has had several well-publicized breaches recently, though.
Google has one of the best security practices and teams out there, so I would agree. They don't need to support legacy systems nor have so many disparate systems like MS has, so they an advantage over MS despite MS having a good security team as well. Only dings on them is service in this area as well as baked integrations (Okta has tons)
Ask yourself why you need it - if it's to handle auth for an SaaS, your web application framework most likely already has a battle-tested auth implementation you can just use.
In this case, introducing a third-party doesn't help. You can still screw up the integration (or merely configuration - a general-purpose IdP has lots of features that may not apply to your use-case, yet misconfiguring them could leave a large security hole without even realizing it), and you are still on the hook for security regardless (if your app is vulnerable, it doesn't matter how secure the IdP is as they can just bypass it).
I'm looking at this one and it seems to cover things that I need (admittedly, without a free tier, but what'reyougonnado). I knew about Okta through people in the security space and that's why I trusted it. I don't see anything on Ory's page that seems to explain the audit work they do, etc. Is this something you are familiar with? Or?
Yes, we're using it in production. However, we have deployed our own stack of it. You don't have to use their service if you don't eant to. It's open source, so in a way there is a free tier to it if you can put some work into deployment.
I mentioned it above, but FusionAuth is supposedly good. They offer a paid cloud and free self-hosted version, so you get the benefits of rolling your own without as many risks. (No affiliation with the company on my part, so I can't speak to any specifics - they're just local and I continually hear good things from friends who know and use them.)
We're a commercial offering with self-hosted and SaaS options. I don't have a ton of insight into your needs, but it is a solid, well documented external authentication system.
We have a free option available here: https://fusionauth.io/download or you can pay us for premium features, hosting or support.
Honestly, I'd rather not self-host anything. Many people, such as Amazon and Auth0 provide services to handle authentication for you, so you're just given a jwt token or session information. I want to pay pennies per user to have it done right(tm)
I didn’t realize it until looking at it just a moment ago, but Auth0 is an Okta subsidiary. They don’t have a stellar record by themselves [0]. I guess that leaves Amazon? That’s not super encouraging.
As an auth backend to an app, perhaps, but the web login forms for Cognito had terrible UX (when we were using it). So terrible that we had daily customer-reported support tickets that we had no ability to fix (short of writing our own full UI).
Also, sharding user records into Cognito pools was a bit frustrating. Hopefully AWS has invested in fixing these issues.
When we propose our niche SAAS to larger customers, we're sometimes measured from a security perspective on whether we will integrate with their Okta SSO.
The product/company feels like the natural progression of the whole Oracle/Java/JS/SAML schtick, and has become the de facto when dealing with the kinds of people who base their whole company's IT personality on that stack. They're trying very, very hard to make it seem like it's another "no one got fired for buying IBM" kind of decision. Except... oops!
One of the most literal cases of "the breach is always twice as bad as the initial disclosure claims" I've seen. Also TIL the dept of defense uses okta that's reassuring for someone I'm sure.
I know govt. contractors use Okta for authentication. Since names and emails were taken, I expect more targeted phishing attacks as a result of this. Fortunate it wasn’t sensitive data (hopefully.)
Having been involved in both sides of other certifications before (not FedRAMP specifically though) my level of trust in them is through the floor. So much meaningless box ticking & not much actual substance.
Something interesting to note is that Okta held an ISO 27001 Certification issued third-party from Schellman. Chris Paris adds the note that Equifax also got nailed under the same arrangement, but with extra spice of CoI rules violations.
I know Chris is a very controversial personality in the ISO ecosystem, but he's also got a disturbing habit of being right an awful lot of the time. I'd feel a lot more comfortable if someone could show me how he's just another crank.
Locking sessions to a single ASN is probably a good idea. I always worry about the "insider threats" where your coworker sitting next to you grabs your cookie out of the Chrome inspector while you're in the bathroom, and this doesn't really help with that situation. But, it does help a lot with the attack that compromised Okta here, so I think it's a good idea in general.
(Obviously you should always lock your screen when you step away from your workstation... but people seem pretty bad about that. At my last in-person job, I don't think anyone ever locked their screen when stepping away. So that's what makes this something I would worry about.)
Will security companies release enterprise one-use email address products like Apple’s “Hide My Email?”
Hide My Email generates unique, random email addresses that automatically forward to your personal inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private.
Keycloak is fairly easy to maintain. I run a deploy in AWS/ECS, and nearly never needs to be touched... except when an upgrade is required. Every upgrade has been challenging, starting with change to Quarkus, followed by removing dependencies from the docker images.
But when it's not being upgrade, it's fantastic. Many thanks to Red Hat.
Because people who don't bother to read the article assume it's a new breach, as we can see in the comments here ("another breach"). I'm not saying that it makes it better or worse.
They cant get away with "oh shiz we screwed up", this is the essential part of their business. If you're unable to perform the fundamental service you are offering, it's indefensible. Okta having a security breach is like a pizza shop owner who's unable to make a pizza.
Not sure if it's reasonable to expect perfect security, people are fallible so that position won't make you very happy. We'll all get hacked, question is if we make it easy for them to gather private information which in this case didn't seem to have happened. The fact that it wasn't, probably is due to it being "the essential part of their business".
I am reading the comments and it's all how dumb IT is to use that instead of self hosting, how bad the saas companies are, etc.
I wonder how many of the commenters run a 30k+ users company IT Dept or are the CISO of such a company.
Well, everything is not a 2 years old startup with a Typescript stack on Postgres. Sometimes you have plenty of legacy systems, on prem services and a budget/headcount that allows you to go only that far by yourself.
Or an Exchange system basically abandoned by MS, so you either go for some roundcube install or M365.
Not all of your IT teams are either incompetent idiots, or psychopaths looking at making your life difficult. Sometimes they need to optimize and you see this optimization as idiotic while it may make sense in average.
Sure, I would prefer to have genius SaaS companies that provide a service that is fantastic, or just host Internet myself but sometimes it is not possible and you choose the least bad of the bad.
Also, self-hosting does not inherently make something more secure, especially if it's sitting on the public internet. It requires consistent monitoring and correctly setting up alarms for strange behavior. If monitoring is done wrong, it could be a while to find out someone gained access, if the malicious access is even noticed.
While Okta seems to have a number of issues, they don't represent all companies handling access management.
Self hosting likely makes it much much worse. I'm willing to bet a lot on the fact that most authors of these comments do not have any kind of experience with serious security or compliance programs.
It's probably just confirmation bias because authentication system breaches get more coverage, and I pay more attention to them, but it seems like all the big players get pwned far too often. You had one job, buddy. Okta, 1Password, LastPass all had breaches or other failures. With so many self-hostable solutions available, I dunno why small/medium-sized companies trust external third parties.
Jeez the hits keep coming. Every time they have to update about this Oct breach it puts FUD in my mind about this company, that I have never done business with anyway.
It's basically THE WAY to get authorizations for medical practices to get prescriptions approved for patients in the US. Ridiculous. (Along with a bunch of other medical logins.)
How did Okta even get that big, it seems like sso could be cheap oauth in house. I've herd they ahve many other integrations/webhooks but that doesnt seem the cost of outsourcing one of the most vital part of your org.
Am I missing something, some magic other than sales and gullible pm's?
We've spent years telling folks that $X is too hard; so just out-source to $LIB or $PACKAGE or $VENDOR. Now we've got a whole huge group of builders, managers of makers that make these plans/calls.
We should stop saying $X is too hard and start, at least, trying to help more folk realize it can be done in house.
It all started when it became "too much trouble to host your own email" and then all the centralization and vendorification happened...and stay off my lawn!
On average decentralization would make it less safe not more though. Most medium/small and even some large businesses would definitely mess something up if they had to do it themselves
It's outsourcing risk. Auth is hard, we all know it (yes, it is hard), and it's cheaper to outsource to a company who has it as their core competency, than hire internal experts.
“Cheaper” is an interesting term to use when we’re talking about auth. I guess it depends on how much a company values the ability of outside entities to not have access to internal resources. Some companies would peg that value at the entire value of the company.
A lot of companies rely on third party vendors for physical access management because who wants to in-source maintenance of locks/doors/badge readers/etc.
I’m not sure why it comes across as unusual for wanting to outsource a service that is incredibly easy to get wrong to someone whose core focus is getting that right.
Unfortunately Okta seems too eager to downplay these incidents, but that doesn’t mean all authentication services are equally flawed.
One place to go to deactivate many logins for an ever expanding world of SaaS systems is basically necessary in 2023 for enterprise. Okta has been building that.
