Vlog: Why Okta Needs an Identity Layer

All right. Well, hello everybody. This is Michael Cichon, the chief marking officer at 1Kosmos. I’m here this morning with Huzefa Olia, our chief operating officer, to discuss how to make single sign-on a bit more secure. Huzefa, welcome to the vlog this morning. How are you?

Interesting topic, Michael. Pleasure to be here.

Well, listen, I appreciate you taking time. I know between the analyst briefings, the customer meetings, you’re pretty busy. I appreciate you taking time this morning. I want to start off talking a little bit about the Lapsus$ breach at Okta. I know some folks say it’s not a big deal, the breach only lasted 25 minutes. Other folks are saying this is a big deal. So what actually happened? And with Okta being a market leader, what does this say about the state of single sign-on?

Absolutely. So the breach happened not directly within Okta, but it happened with a service provider that Okta uses. Lapsus$ was able to social engineer a password for one of the vendors that Okta uses, and through that, tunnel into the network. And I believe they had access to two or maybe three of customer data or customer instances that Okta manages. Through the reports that we have seen or what Okta has published, it essentially says none of the critical information was released to them. As part of the breach, they did manage to see more information around some collaboration sites that that particular customer had. So although the impact wasn’t as severe, but it happening to an identity provider, to a single sign on-engine like Okta is extremely critical. And I think it just leads to this particular discussion that we’re having right now, that what can be changed when it comes to any kind of an authentication that happens.

Okay So the breach wasn’t any real deficiency in Okta itself. It’s the reliance on passwords. And this has been a problem for business all along. It’s the account takeover, email account takeover at a partner, a company that’s not your own, but you inherit that as a business, you inherit that risk from your supply chain. So with that as context, what should customers of single sign-on be doing to shore up their security?

Yeah. Great question. So if we look at it and just peel off all the different layers and whether it came from a supplier or whether it came internally, whatever that is, the essential or fundamental thing is the way we authenticate today is broken, irrespective of the type of system that we authenticate into. And what I mean by that is in this specific example and in all the different breaches that have happened, the model has been that a user’s password/PIN has been compromised. So every time when you’re relying on a knowledge-based authentication where a user is in the middle, a user’s knowledge of their password or PIN is important, social engineering is going to continue to happen. And there are more advanced methods of that happening. The essential method to change is move away from this knowledge-based authentication and do it based on possession, possession of a factor that you have, possession to say that this is my identity that I’m using to authenticate.

Okay. So possession on its own is not new. We’ve had this for a while with things like YubiKey and other devices that you would plug into your laptop to prove you have a physical key. But what is new and novel about this possession factor today?

So always, possession was primarily based as a second factor for authentication. We are never moving away from the passwords, primarily because we relied on that to authenticate a user’s identity, your password where you’re a proxy to who Michael is to authenticate. With systems that are out there, one of them and I’m plugging 1Kosmos over here, essentially what we are doing is that in your authentication flow, A, we are proving your identity by digitally verifying who you are and using that certificate-based authentication where you’re possessing that device, where your certificate is enrolled, and then proving who you are instead of a password by using your biometrics to authenticate. So that changes the whole notion of how a possession-based authentication would work as well. You’re no longer using it as a second factor, but you’re using it as the primary factor in the authentication.

Okay. All right. So passwords authenticate, but passwords don’t prove identity. At 1Kosmos, we talk about adding in identity layer, if you will. Can you talk a little bit more about what… You said prove identity. What does that mean? Can you translate that for people?

So the way we have seen how identity and access management works today is it’s not necessarily an and. Every identity sits in a separate silo, and access management sits in a separate silo. Where from an identity standpoint today, you often may or sometimes you maybe proving who the user is, but that is one time and that resides in a separate repository. And authentication doesn’t care about the user’s identity. They care about the user ID, which is very, very different.

A Michael Cichon, I know who you are, is very different compared to an MC shown, who I just am trusting and saying that I’m going to provide that access. So we are bridging that particular gap. And the way we do this is anytime a user is coming into an environment, yes, we do the identity proving and verification, but we do the continuous verification of the user’s identity. And then in addition to that, we no longer rely on any kind of an MC shown ID to authenticate the user. We ask the user to prove who they are by authenticating using their biometrics. So the whole notion of identity and access management working together actually would make sense in this case.

Okay. So depending on the needs of the business, there’s different levels of this identity proving, correct?

Absolutely. And there are standards which are there in the market today. The most leading one in US is the NIST Identity Assurance Level. And there are different levels that you can get to depending on how do you want to get the user. If I have a low entry point or if my system is not as critical, I may want the user to log in to my system if they have an IAL level of one. But if it’s production and if it’s a critical system, I would like the user to be IAL level two or higher when they’re authenticating. And as well as when they’re authenticating, I want to use a factor that I can trust. And there are multiple different biometrics factors, which are there in the market today.

You mentioned a couple of them, YubiKey, where as well as other kind of device biometrics, like your Face ID and Touch ID that Apple provides. All of them great. But if you really, really want to know who the user is, then a live selfie is extremely important. When I am enrolling you, Michael, in my organization, you’re proving who you are, but I am taking some kind of a video recording with you. When I’m authenticating you, I want that same kind of a flow as well. And that’s something, again, which is unique into our platform where we not only take a certain level for a user, but we also try to authenticate them using those live biometrics.

Okay. Okay. So the 1Kosmos platform, we know it’s certified to the NIST standard, certified to the IDO2 standard. The biometrics are also certified, correct?

That is correct, certified with iBeta.

Okay, great. So bringing this back to Okta, how does 1Kosmos then work to complement Okta?

Yeah. This goes with respect to Okta or any kind of a single sign-on engine, which is out there. Single sign-on engines are wonderful and are an essential requirement now in any kind of a large enterprise today. How we work with a single sign-on provider like Okta is that we would integrate with them. So anytime you’re logging in into an Okta or a single sign-on engine a user, instead of entering the username and a password one time, you would no longer even have to do that. You will essentially be authenticating using your biometrics that would be enrolled using 1Kosmos. And 1Kosmos has all the plumbing that has been built in within Okta or any kind of other single sign-on provider that is out there.

Interesting. So when Steve Jobs introduced the iPhone, he introduced the new stylus, which was the finger. And now, we are introducing basically yourself as the authenticator. So what’s the user experience like then?

As we say, instead of remembering a complex password, now you log in with a blink and a smile.

Blink and a smile. That’s awesome. Okay. Well, that’s the questions I had for you. This has been really interesting for me. I think you’ve been pretty clear in helping us understand this. We do have a webinar coming up. It’s called After Lapsus$, How to Protect Your SSO Environment from Vendor and Contractor Compromise. This particular webinar is happening on August 18th at 10:00 AM Pacific and 1:00 PM Eastern Time. So if you’re seeing this log after that date, that will, of course, be available on our website as a replay. So thank you very much, Huzefa. I appreciate your time today. Have a great rest of your day. And so long, everybody.

Thank you for having me.