What Okta’s failures say about the future of identity security in 2025

2025 should be the year that identity providers fully commit to improving every aspect of software quality and security, including red teaming, while making their apps more transparent and objective about results beyond standards.

Anthropic, OpenAI, and other leading AI companies have taken red teaming to a new level, revolutionizing their release processes for the better. Identity providers, including Okayshould follow their example and do the same.

While Okta is one of the first identity management vendors to sign up CISAs Safe by design promise, they’re still struggling to get the authentication right. Okta’s recent advice told customers that 52-character usernames can be combined with stored cached keys, bypassing the need to provide a password to log in. Okta recommends that compliant customers examine their Okta system log for unexpected authentications of usernames larger than 52 characters between the period of July 23, 2024 to October 30, 2024.

Okta points to his best record in its class for multi-factor authentication (MFA) adoption among both Workforce Identity Cloud users and administrators. These are table stakes to protect customers today and a given to compete in this market.

Google Cloud announced mandatory multi-factor authentication (MFA) for all users in 2025. Microsoft also requires MFA for Azure as of October this year. “Starting in early 2025, the gradual enforcement of MFA on sign-in for Azure CLI, Azure PowerShell, the Azure mobile app, and Infrastructure as Code (IaC) tools will begin,” a statement said. recent blog post.

Okta achieves results with Secure by Design from CISA

It is commendable that so many identity management vendors have signed the CISA Secure by Design Pledge. Okta signed in May of this year and committed to the initiative seven safety goals. While Okta continues to make progress, challenges remain.

Pursuing standards when delivering new apps and platform components is a challenge. Even more problematic is keeping a diverse, rapidly evolving set of DevOps, software engineering, QA, red teams, product management, and marketers all coordinated and focused on launch.

1. Not being demanding enough when it comes to MFA: Okta has reported a significant increase in MFA usage, with 91% of administrators and 66% of users using MFA January 2024. Meanwhile, more and more companies are making MFA mandatory, without relying on a standard. Google and Microsoft’s mandatory MFA policies highlight the gap between Okta’s voluntary measures and the industry’s new security standard.

• Vulnerability management needs to be improved, starting with a solid commitment to red-teaming. Okta’s bug bounty program and vulnerability disclosure policies are, for the most part, transparent. The challenge they face is that their approach to vulnerability management remains reactive and relies mainly on external reports. Okta must also invest more in red teaming to simulate real-world attacks and preemptively identify vulnerabilities. Without red teaming, Okta risks leaving specific attack vectors undetected, potentially limiting its ability to address emerging threats early.

• Improvements in logging and monitoring need to be implemented quickly. Okta is improving logging and monitoring capabilities for better security visibility, but as of October 2024, many improvements remain incomplete. Critical features such as real-time session tracking and robust audit tools are still in development, which hinders Okta’s ability to provide comprehensive, real-time intrusion detection across the platform. These capabilities are critical to providing customers with immediate insights and responses to potential security incidents.

Okta’s security flaws demonstrate the need for more robust vulnerability management

While every identity management provider has experienced attacks, intrusions, and breaches, it’s interesting to see how Okta is using them as fuel to reinvent itself using CISA’s Secure by Design framework.

Okta’s missteps make a strong case for expanding their vulnerability management initiatives, taking the red teaming lessons learned from Anthropic, OpenAI, and other AI providers and applying them to identity management.

Recent incidents Okta has experienced include:

• March 2021 – Verkada Camera Breakage: Attackers gained access to more than 150,000 security cameras, exposing significant network security vulnerabilities.
• January 2022 – LAPSUS$ group compromise: Cybercriminal group LAPSUS$ exploited third-party access to breach Okta’s environment.
• December 2022 – Source code theft: Attackers stole Okta’s source code, highlighting internal holes in its access controls and code security practices. This breach highlighted the need for stronger internal controls and monitoring mechanisms to protect intellectual property.
• October 2023 – Customer support breach: Attackers gained unauthorized access to customer data for approximately 134 customers through Okta’s support channels and were acknowledged by the company on October 20, starting with stolen credentials used to access the support management system. From there, attackers gained access to HTTP archive (.HAR) files containing active session cookies and began breaching Okta’s customers, attempting to penetrate their networks and exfiltrate data.
• October 2024 – Bypass username authentication: A security flaw allowed unauthorized access by bypassing username-based authentication. The bypass revealed weaknesses in product testing, as the vulnerability could have been identified and addressed through more thorough testing and red-teaming practices.

Red-teaming strategies for future-proofing identity security

Okta and other identity management providers should consider how they can improve red teaming, regardless of any standard. An enterprise software company shouldn’t need a standard to excel at red teaming, vulnerability management, or integrating security into system development life cycles (SDLCs).

Okta and other identity management vendors can improve their security posture by following the Red Teaming lessons from Anthropic and OpenAI below to strengthen their security posture:

Consciously create a more continuous collaboration between humans and machines when it comes to testing: Anthropic’s blend of human expertise with AI-driven red teaming uncovers hidden risks. By simulating varied attack scenarios in real time, Okta can proactively identify and address vulnerabilities earlier in the product lifecycle.

Strive to excel in adaptive identity testing: OpenAI’s use of advanced identity verification methods, such as voice authentication and multimodal cross-validation for detecting deepfakes, could inspire Okta to implement similar testing mechanisms. Adding an adaptive identity testing methodology could also help Okta defend itself against increasingly sophisticated identity spoofing threats.

Prioritizing specific domains for red teaming keeps testing more focused: Anthropic’s targeted testing in specialized areas demonstrates the value of domain-specific red teaming. Okta could benefit from assigning dedicated teams to high-risk areas, such as third-party integrations and customer support, where nuanced security breaches might otherwise go unnoticed.

More automated attack simulations are needed identity management platforms under stress testing. OpenAI’s GPT-4o model uses automated adversarial attacks to proceedputting pressure on his defense mechanisms. Okta could implement similar automated scenarios, allowing rapid detection and response to new vulnerabilities, especially in its IPSIE framework.

Commit to more real-time integration of threat information: Anthropic’s real-time knowledge sharing within red teams strengthens their responsiveness. Okta can embed real-time intelligence feedback loops into its red-teaming processes, allowing evolving threat data to immediately inform defenses and accelerate response to emerging risks.

Why 2025 will challenge identity security like never before

Adversaries are relentless in their efforts to add new, automated weapons to their arsenal, and each company is struggling to keep up.

With identities being the primary target of most breaches, identity management providers must meet the challenges and increase security across every aspect of their products. That should include integrating security into their SDLC and helping DevOps teams get comfortable with security so that it isn’t an afterthought that is reviewed immediately before release.

CISA’s Secure by Design initiative is invaluable to any cybersecurity provider, especially identity management providers. Okta’s experiences with Secure by Design helped them find gaps in vulnerability management, logging, and monitoring. But Okta shouldn’t stop there. They must fully commit to a renewed, more intense focus on red teaming, taking the lessons learned from Anthropic and OpenAI.

Improving data accuracy, latency, and quality through red teaming is the fuel every software company needs to create a culture of continuous improvement. CISA’s Secure by Design is just the starting point, not the goal. Identity management vendors heading into 2025 need to see the standards for what they are: valuable frameworks for guiding continuous improvement. Having an experienced, solid red team function that can catch errors before they are sent and simulate aggressive attacks from increasingly skilled and well-funded opponents is one of the most powerful weapons in an identity management provider’s arsenal. Red teaming is essential to stay competitive while having a chance to stay on par with the opponents.

Author’s Note: Special thanks to Taryn Plumb for her collaboration and contributions to gathering insights and data.