Now that Okta Oktane 2019 is over, I finally have a chance to write up more of my notes and impressions. For the rest of our Oktane coverage, see our day-one news post and Kyle’s post of things he learned.
Security developments and roadmap
The session that I was most interested in was the security roadmap—and evidently a lot of other people were, too, as it was in a huge room filled to capacity with probably 500 people.
The most important thing to know is that authentication is getting stronger, easier, and more flexible.
On the stronger front, with FIDO2 and the recent ratification of the WebAuthn standard, hardware-based authentication (i.e., using biometrics on a device, or using a USB key) is really ready for mainstream deployment. Okta is rolling out their support WebAuthn soon. Okta, like others, is also bringing machine learning and risk-based context into their authentication policy engine, along with more automation.
Where does the easier part come in? Compared to the olden days of RSA tokens, today MFA is more of a turnkey solution (no pun intended), and many vendors (including Okta) are bundling it in their base products. Just like other types of SaaS, ID and MFA as a service removes a lot of the complexity that defined identity projects a decade ago.
When it comes to flexibility, Okta is introducing the ability to sequence factors however your want. For example, if you’re in a situation where you only need one factor (probably because some degree of trust has already been established), the one factor doesn’t have to be a password—it can be any factor you choose. Of course, all of these decisions are made taking risk factors (device health, app sensitivity, location, and so on) into account.
To follow up all this work on authentication, Okta plans to invest in other parts of the user lifecycle, like enrollment and account recovery. The more context you can add to these policies, the more secure and flexible you can make them. Think about how this would be useful in situations like “a new user is enrolling on the corporate network at the office on their first day of work” or “a bad actor is trying to reset a user’s password from a different continent and a new device.”
Okta Access Gateway
Another significant announcement was Okta’s Access Gateway, for on-premises applications. This is a net new product for them in this space, and it checks the box for an important strategic move: Your cloud-based ID management system doesn’t just have to be for your cloud apps—you can take all the same authentication techniques, risk profiles, conditional access policies, and everything else back down to your datacenter, too.
Okta Access Gateway is a proxy that can be deployed in your datacenter or on top of IaaS, and it will support things like header-based or WAM authentication.
More EUC anecdotes and thoughts
Conferences are always a good place to hear anecdotes that make you think of things in a different light, or make something click in your head in a new way.
One thing that stuck out to me is that at least three people mentioned offhand how much their executives use iPads. After years of contemplating the future of laptops and wondering if tablets could replace them, I’m finally ready to agree that iPads—particularly iPad Pros with keyboards—are at that point. This isn’t revelatory or anything, it just finally stuck in my head after I heard it three times in two days. Y’know what I mean? :)
The other point was about end user training and security awareness. Sometimes I hear about training programs that try to teach users how to spot phishing emails and links, and I just have to think that the effectiveness is limited. (It seems like you’re scolding your users, who would rather be getting work done.) So what’s a better way to get users to help? Okta (like many other products) can send users an email when there’s suspicious activity on their account, and the user can click “Yes, that was me” or “Yikes, it wasn’t me!” and it will alert the admin or take other actions. This isn’t a new concept, but it suddenly clicked that this is a much more productive, natural, and friendly way to get users involved in keeping the company secure.