SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Okta welcomes Essential 8 push for phishing resistant authentication
Fri, 16th Feb 2024

As the cyber threat arms race accelerates, it is critical that government bodies provide practical guidance to the community.

In this context, Okta welcomes and applauds the November 2023 updates to Australia’s essential eight-maturity model.

The Essential 8 is a set of recommended security controls created by the Australian Signals Directorate, specifically for mitigating the compromise of Windows networks. This guidance, which relies on ASD’s experience with responding to compromised Windows networks, provides a yardstick for control maturity in a Windows environment.

The maturity model provides four maturity levels for organizations to align to – from maturity level zero through to maturity level three. Organizations can use these levels to progressively step up their control maturity.

Among the many compelling updates to the maturity model in 2023, Okta was especially pleased to see requirements introduced for phishing-resistant Multifactor Authentication. Phishing-resistant MFA is required for maturity level 2 and above for workforce access and must be offered as an option for customer-facing systems.

These requirements will actively prevent organizations from being breached, as only a subset of factors are resistant to the phishing infrastructure used by attackers today.

Not all MFA is created equal

Over half of the phishing kits Okta proactively identifies in attacks on well-defended customers do not simply steal a user’s credential. The “Adversary in the Middle” phishing kits operate as
transparent HTTP proxies in an attempt to steal session tokens created when the targeted user signs into an online service. Any authentication flow that relies on a user password and some
form of generated code: be it transmitted over SMS, email or an authenticator app, is vulnerable to these attacks.

Okta is well placed to protect customers from this threat and to help them meet MFA requirements at all essential 8 maturity levels, given our cross-platform support for phishing-resistant MFA in the workforce, partner, and end customer use cases.

In Okta’s Identity Engine, admins can enforce phishing resistance for workforce users signing in on any device using FastPass (Okta’s passwordless client), via any roaming or platform authenticator that uses FIDO2 WebAuthn, or through our support for PIV/CAC Smart Cards. Using FastPass, which is built into the Okta Verify app, customers can deliver the same phishing resistant user experience on all major operating systems (Android, iOS, MacOS and Windows). FastPass can also be used to actively detect Adversary-in-the-Middle phishing attacks that target users, surfacing these events in the Okta System Log.

Okta Customer Identity Cloud (formerly Auth0) offers developers to offer phishing resistant PassKeys at log-in, with an intuitive user experience designed to bring the password-using public into the passwordless world.

Room for improvement
Okta offers a best-in-class array of MFA options, leading to high rates of MFA adoption among our customers. The rate of adoption for phishing-resistant authenticators is lagging, however, due to misconceptions over what authenticators - and in what configuration - offer genuine resistance.

By definition, adding a number challenge or number matching to a Push challenge does not deliver phishing resistance. The additional number challenge offers stronger assurance than Push alone, but it doesn’t cryptographically bind the output of an authenticator to a particular domain.

This is why standards bodies like the US National Institute of Standards (NIST) offer a precise technical definition for phishing resistance, which is, in turn, relied on by the US policy community to develop advice and policy frameworks akin to Australia’s Essential 8.

Okta would like to see Australian standards bodies provide the same clarity to ensure that organisations understand which methods of sign-in are resistant to different forms of attack.