Okta has developed a new capability for its passwordless authentication system aimed at countering the illegitimate use of biometric login data, a move meant to head off a potential route for malicious actors who are becoming increasingly sneaky in their phishing attempts.
"Threat actors are getting better and more sophisticated, and this is kind of a quest to make sure we stay one step ahead of them," Okta co-founder and CEO Todd McKinnon said in an exclusive interview with Protocol.
The new capability for Okta's passwordless authentication product, FastPass, is now in an early access preview, and is expected to be generally available in early 2023.
Biometric data is considered an inherently more secure method of authentication given the unique nature of each person's fingerprint or facial scan. But a series of high-profile cases of thwarted multifactor authentication, including the interception of one-time passcodes, shows that login data tied to biometrics could very well become a bigger target for phishing going forward too, according to Okta.
The company’s answer to the looming threat, McKinnon said, is "to make even the biometric authenticators more anti-phishing” by default.
The method that Okta is implementing involves binding biometric login information to a user's device so that only that device can use that information for authentication.
"What that means is if someone puts up a fake phishing site and tricks you into pushing your fingerprint into the fake page, it's no use to them," McKinnon said. "They can't use that to then log in as you."
Specifically, the new capability prevents the reuse of the login keys that are generated in response to a user’s biometric data rather than protecting the biometric data itself, according to Okta. The actual biometrics are already protected since they do not leave the user's device as part of the FastPass system, the company said.
The new capability, Advanced Phishing Resistance for FastPass, comes amid research showing that identity-based attacks are now the largest source of breaches by far. The capability was announced among several Okta product updates Wednesday in connection with the company's Oktane conference.
Another update that is "coming soon" to FastPass, Okta said, will make the service available to an organization's external partners in addition to its direct employees.
Other product updates announced by Okta include another forthcoming anti-phishing service, focused on the use of WebAuthn authenticators such as biometrics or hardware security keys. The new feature will provide organizations with better controls over WebAuthn enrollment in order to prevent phishing attempts, Okta said. It's planned for early access release in the first quarter of 2023.
Meanwhile, Okta also announced several new features meant to enable automated responses to security issues as part of its no-code Okta Workflows product.
The new features include a set of pre-built security templates meant to demonstrate how workflows can be used, which security teams can then tweak to their specific needs. Okta also announced a tool that enables the no-code creation of connectors to additional data feeds in Workflows, such as threat intelligence feeds.
Ultimately, for all organizations, "you want to be able to have a simple way to automatically respond to attacks," McKinnon said. "Having an automated workflow to respond to what's going on — that's what your security operations center really wants."
