Okta plans to leverage device, IP and geolocation information to help businesses identity instances where a password might not be necessary for logging in.
The San Francisco-based identity management vendor said its algorithms learn people's behavior over time and can allow users to login without a password if they're in a familiar setting. But if the same employee attempts to login from an unfamiliar setting, Okta will hit them with both a security question and a second factor before granting access.
End users are, if anything, getting worse at managing passwords as the same ones are typically recycled over and over again, according to Joe Diamond, Okta's director of security product management.
"Passwords are a pretty big problem," Diamond told CRN. "They haven't changed through the course of time."
Vendors have been talking about eliminating passwords for more than a decade but have typically attempted to do so in an irresponsible manner, Diamond said, granting using access just by typing in their email address and clicking on an authentication email. But there's a high likelihood that bad actors also know a user's email address, Diamond said, which could make this method problematic.
Diamond said Okta's context-based approach – which considers an employee's expected behavior as well as the presence or absence of a corporate network – is a more responsible way to provide password-less access.
High assurance logins receive a push notification and provide an email address, Diamond said, while low assurance logins might require a certificate on the device or the use of a high-assurance factor such as a unique key or U2F (Universal 2nd Factor) token. Firms can also consider the sensitivity of the application attempting to be accessed, as well as the level of access each particular user is provided in the system.
These capabilities will be powered by Okta ThreatInsight, a new capability that looks at an IP address's reputation as well as where the request for access is coming from to determine whether it's malicious or safe, Diamond said. While other vendors also offer a password-less experience, Diamond said they don't offer threat checks on the level of ThreatInsight.
The contextual access management capabilities will be available as part of Okta's Adaptive Single Sign-On (SSO) and Adaptive Multi-Factor Authentication (MFA) offerings. Adaptive SSO is a new SKU that offers new behavioral and adaptive functionality, Diamond said, and costs $6 per user per month.
Adaptive MFA, meanwhile, is an existing offering that's been enhanced, Diamond said, and costs $5 per user per month.
Diamond anticipates huge adoption of these contextual access management capabilities in both employee-centric as well as customer-centric instances since it's something everyone's been requesting for a long time. He's said it's one of the very few offerings on the marketplace that will make both security teams as well as end users happy.
Okta's new capabilities will make it so that users have easy access to applications remotely and can continue doing their job while still ensuring that the business is protected from a security standpoint, according to Hayley Roberts, CEO of Stockport, England-based Okta partner Distology.
Specifically, Roberts said she's pleased Okta is using multi-factor authentication and intelligence related to geographies and IP addressed to reduce the use of passwords where possible while still maintaining security in unfamiliar surroundings.
"Passwords are cumbersome and annoying," Roberts said.