A world without passwords is a reality, but understand that identity is key to your security strategy.

Last week Okta held its annual Oktane conference in Las Vegas, and one of the key messages was that ‘identity has become the key to security’ with the company committed to defeating identity-based attacks, with added services and with an open standard named IPSIE - the Interoperability Profile for Secure Identity in the Enterprise - announced.

Speaking at the event, Arnab Bose, chief product officer at Okta, said that currently, “identity is sprawling with over-provisioning and chances for lateral movement” and “securing the workforce is getting harder and harder every day.” Bose was keen to support the announcement of IPSIE, as a world where the whole tech ecosystem conforms to the IPSIE standard “will provide the strongest level of identity security before, during and after authentication.”

Bose explained these concepts, as with 'before authentication', you can discover and remediate risky identity misconfigurations. With 'during authentication', you can achieve end-to-end phishing resistance, device-bound sessions and zero-standing privileges for both humans and non-human accounts. With 'after authentication', you'll be able to continuously listen for risk signals across your entire enterprise and terminate sessions with universal logout.

Have the Risk Factors

However an issue with discovering and remediating excessive standing privileges and taking actions to correct these issues, according to Bose, is that managers and approvers don't know all of the risk factors, and they're being asked to approve access requests “without all of the data to make the right decision at the right time.” 

Bose said that “how you unlock your actual Windows or Mac computer remains the final frontier” as that is where using a password is usually sufficient. With its previous announcements around support for password-less login and FIDO2, as well as plans for extended device single sign-on - which ties the Okta session directly to the device using a hardware protected key, so the author session is bound to that specific authorised device, and they key cannot be replayed anywhere else.

“From an end user's perspective, you'll simply sign into your machine and from that point in time onwards, you're already signed into Okta and all your downstream applications will be automatically logged in and at every login, we are constantly reassessing all your security risk signals,” he said.

“So in case something does change, we can step it up at that particular point in time. So not only is it faster and better for your end users, it is more secure end to end.”

Onboarding Faster

Speaking to SC UK, Bose says a lot of the customer conversations he has are around onboarding applications faster, getting contractors onboarded quicker, and working at speed and high efficiency.

“I think the conversation has dramatically changed and the CISOs were telling me that ‘our company is going through an audit, it is a board level concern to get to this sort of risk outcome and the foundation of our security strategy is identity’,” he says.

This is where the conversation has changed to where businesses realised that data breaches are real, and there is a need to look at identity, because “identity is your only perimeter.”

Embrace Identity

Bose says that a number of customers have embraced identity as their security strategy, and allowed them to make demonstrable changes, “and a lot of the customers I speak with who are pretty mature in their identity security strategy, have all sorts of controls in place.” 

He says these can include running user onboarding and off-boarding processes, identity governance programs to ensure right-sizing privileges, having a privilege access management solution, and have identity security posture management tools in place. However Bose admits that this may be the privilege of the well-funded Fortune 500 CISO, and the introduction of IPSIE will be a step forward to getting the same level of ‘identity as a perimeter’ for other businesses.

Bose says there is a concept where “if you don't have ever have a password that's something that you can't lose” and admits “it is possible today” while admitting that adoption could take some time, especially as “there's no forcing factor for enterprises” currently.

With advancements in technology around identity though, there is an opportunity for identity to be the foundation of the security strategy. “I think we have an opportunity now that can push this change, where we can get to a world with no passwords,” he says.

Whether this is with advancements in technology, in this case specifically Okta’s, widespread adoption of the IPSIE standard, and an overall shift away from ‘the way we’ve always done it’ - with identity-based attacks one of the biggest challenges in cybersecurity currently, maybe this is a way forward.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.