What Okta’s failures say about the future of identity security in 2025

2025 needs to be the year identity providers go all in on improving every aspect of software quality and security, including red teaming while making their apps more transparent and getting objective about results beyond standards.

 Anthropic, OpenAI and other leading AI companies have taken red teaming to a new level, revolutionizing their release processes for the better. Identity providers, including Okta, need to follow their lead and do the same.

While Okta is one of the first identity management vendors to sign up for CISA’s Secure by Design pledge, they’re still struggling to get authentication right. Okta’s recent advisory told customers that user names of 52 characters could be combined with stored cache keys, bypassing the need to provide a password to log in. Okta recommends that customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23, 2024, to October 30, 2024.

Okta points to its best-in-class record for the adoption of multi-factor authentication (MFA) among both users and administrators of Workforce Identity Cloud. That’s table stakes to protect customers today and a given to compete in this market.

Google Cloud announced mandatory multi-factor authentication (MFA) for all users by 2025. Microsoft has also made MFA required for Azure starting in October of this year. “Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence,” according to a recent blog post.

Okta is getting results with CISA’s Secure by Design

It’s commendable that so many identity management vendors have signed the CISA Secure by Design Pledge. Okta signed in May of this year, committing to the initiative’s seven security goals. While Okta continues to make progress, challenges persist. 

Pursuing standards while attempting to ship new apps and platform components is challenging. More problematic still is keeping a diverse, fast-moving series of DevOps, software engineering, QA, red teams, product management and marketers all coordinated and focused on the launch.  

1. Not being demanding enough when it comes to MFA: Okta has reported significant increases in MFA usage, with 91% of administrators and 66% of users using MFA as of Jan. 2024. Meanwhile, more companies are making MFA mandatory without relying on a standard for it. Google and Microsoft’s mandatory MFA policies highlight the gap between Okta’s voluntary measures and the industry’s new security standard.

• Vulnerability Management needs to improve, starting with a solid commitment to red-teaming. Okta’s bug bounty program and vulnerability disclosure policy are, for the most part, transparent. The challenge they’re facing is that their approach to vulnerability management continues to be reactive, relying primarily on external reports. Okta also needs to invest more in red teaming to simulate real-world attacks and identify vulnerabilities preemptively. Without red teaming, Okta risks leaving specific attack vectors undetected, potentially limiting its ability to address emerging threats early.

• Logging and monitoring enhancements need to be fast-tracked. Okta is enhancing logging and monitoring capabilities for better security visibility, but as of Oct. 2024, many improvements remain incomplete. Critical features like real-time session tracking and robust auditing tools are still under development, which hinders Okta’s ability to provide comprehensive, real-time intrusion detection across its platform. These capabilities are critical to offering customers immediate insights and responses to potential security incidents.

Okta’s security missteps show the need for more robust vulnerability management   

While every identity management provider has had its share of attacks, intrusions and breaches to deal with, it’s interesting to see how Okta is using them as fuel to re-invent itself using CISA’s Secure by Design framework.

Okta’s missteps make a strong case for expanding their vulnerability management initiatives, taking the red teaming lessons learned from Anthropic, OpenAI and other AI providers and applying them to identity management.

Recent incidents Okta has experienced include:

• March 2021 – Verkada Camera Breach: Attackers gained access to over 150,000 security cameras, exposing significant network security vulnerabilities.
• January 2022 – LAPSUS$ Group Compromise: The LAPSUS$ cybercriminal group exploited third-party access to breach Okta’s environment.
• December 2022 – Source Code Theft: Attackers stole Okta’s source code, pointing to internal gaps in access controls and code security practices. This breach highlighted the need for more stringent internal controls and monitoring mechanisms to safeguard intellectual property.
• October 2023 – Customer Support Breach: Attackers gained unauthorized access to customer data of approximately 134 customers via Okta’s support channels and was acknowledged by the company on October 20, beginning with stolen credentials used to gain access to its support management system. From there, attackers gained access to HTTP Archive (.HAR) files that contain active session cookies and began breaching Okta’s customers, attempting to penetrate their networks and exfiltrate data. 
• October 2024 – Username Authentication Bypass: A security flaw allowed unauthorized access by bypassing username-based authentication. The bypass highlighted weaknesses in product testing, as the vulnerability could have been identified and remediated through more thorough testing and red-teaming practices.

Red-teaming strategies for future-proofing identity security

Okta and other identity management providers need to consider how they can improve red teaming independent of any standard. An enterprise software company shouldn’t need a standard to excel at red teaming, vulnerability management or integrating security across its system development lifecycles (SDLCs).

Okta and other identity management vendors can improve their security posture by taking the red teaming lessons learned from Anthropic and OpenAI below and strengthening their security posture in the process:   

Deliberately create more continuous, human-machine collaboration when it comes to testing: Anthropic’s blend of human expertise with AI-driven red teaming uncovers hidden risks. By simulating varied attack scenarios in real-time, Okta can proactively identify and address vulnerabilities earlier in the product lifecycle.

Commit to excel at adaptive identity testing: OpenAI’s use of sophisticated identity verification methods like voice authentication and multimodal cross-validation for detecting deepfakes could inspire Okta to adopt similar testing mechanisms. Adding an adaptive identity testing methodology could also help Okta defend itself against increasingly advanced identity spoofing threats.

Prioritizing specific domains for red teaming keeps testing more focused: Anthropic’s targeted testing in specialized areas demonstrates the value of domain-specific red teaming. Okta could benefit from assigning dedicated teams to high-risk areas, such as third-party integrations and customer support, where nuanced security gaps may otherwise go undetected.

More automated attack simulations are needed to stress-test identity management platforms. OpenAI’s GPT-4o model uses automated adversarial attacks to continually pressure-test its defenses. Okta could implement similar automated scenarios, enabling rapid detection and response to new vulnerabilities, especially in its IPSIE framework.

Commit to more real-time threat intelligence integration: Anthropic’s real-time knowledge sharing within red teams strengthens their responsiveness. Okta can embed real-time intelligence feedback loops into its red-teaming processes, ensuring that evolving threat data immediately informs defenses and accelerates response to emerging risks.

Why 2025 will challenge identity security like never before

Adversaries are relentless in their efforts to add new, automated weapons to their arsenals, and every enterprise is struggling to keep up.

With identities being the primary target of the majority of breaches, identity management providers must face the challenges head-on and step up security across every aspect of their products. That needs to include integrating security into their SDLC and helping DevOps teams become familiar with security so it’s not an afterthought that’s rushed through immediately before release.

CISA’s Secure by Design initiative is invaluable for every cybersecurity provider, and that’s especially the case for identity management vendors. Okta’s experiences with Secure by Design helped them find gaps in vulnerability management, logging and monitoring. But Okta shouldn’t stop there. They need to go all in on a renewed, more intense focus on red teaming, taking the lessons learned from Anthropic and OpenAI.

Improving the accuracy, latency and quality of data through red teaming is the fuel any software company needs to create a culture of continuous improvement. CISA’s Secure by Design is just the starting point, not the destination. Identity management vendors going into 2025 need to see standards for what they are: valuable frameworks for guiding continuous improvement. Having an experienced, solid red team function that can catch errors before they ship and simulate aggressive attacks from increasingly skilled and well-funded adversaries is among the most potent weapons in an identity management provider’s arsenal. Red teaming is core to staying competitive while having a fighting chance to stay at parity with adversaries.

Writer’s note: Special thanks to Taryn Plumb for her collaboration and contributions to gathering insights and data.