I know govt. contractors use Okta for authentication. Since names and emails were taken, I expect more targeted phishing attacks as a result of this. Fortunate it wasn’t sensitive data (hopefully.)
Having been involved in both sides of other certifications before (not FedRAMP specifically though) my level of trust in them is through the floor. So much meaningless box ticking & not much actual substance.
How did Okta even get that big, it seems like sso could be cheap oauth in house. I've herd they ahve many other integrations/webhooks but that doesnt seem the cost of outsourcing one of the most vital part of your org.
Am I missing something, some magic other than sales and gullible pm's?
One place to go to deactivate many logins for an ever expanding world of SaaS systems is basically necessary in 2023 for enterprise. Okta has been building that.
We've spent years telling folks that $X is too hard; so just out-source to $LIB or $PACKAGE or $VENDOR. Now we've got a whole huge group of builders, managers of makers that make these plans/calls.
We should stop saying $X is too hard and start, at least, trying to help more folk realize it can be done in house.
It all started when it became "too much trouble to host your own email" and then all the centralization and vendorification happened...and stay off my lawn!
On average decentralization would make it less safe not more though. Most medium/small and even some large businesses would definitely mess something up if they had to do it themselves
It's outsourcing risk. Auth is hard, we all know it (yes, it is hard), and it's cheaper to outsource to a company who has it as their core competency, than hire internal experts.
“Cheaper” is an interesting term to use when we’re talking about auth. I guess it depends on how much a company values the ability of outside entities to not have access to internal resources. Some companies would peg that value at the entire value of the company.
A lot of companies rely on third party vendors for physical access management because who wants to in-source maintenance of locks/doors/badge readers/etc.
I’m not sure why it comes across as unusual for wanting to outsource a service that is incredibly easy to get wrong to someone whose core focus is getting that right.
Unfortunately Okta seems too eager to downplay these incidents, but that doesn’t mean all authentication services are equally flawed.
It's basically THE WAY to get authorizations for medical practices to get prescriptions approved for patients in the US. Ridiculous. (Along with a bunch of other medical logins.)
On one hand, the market seems to react to these appropriately. On another hand, the market has a short-term memory and prices go back up.
It's unfortunate Auth0 was acquired by them. Have used it from the beginning and it used to be a great product before the Okta acq. Now it's just constant sales emails, expensive pricing, not much new feature launches, most features are very enterprise focused, bunch of bugs, frequent outages.
Stock 41% up in the last 12 months is not appropriate.. it basically signals, "buy at a huge discount after each incident, we'll keep it rising regardless".
At this point, one could speculate they are not worth almost at all given they fail to deliver on their primary value proposition. They are not and have not been profitable either, only getting worse: https://finance.yahoo.com/quote/OKTA/financials?p=OKTA
This sort of business doesn’t have to immediately realize a profit they just have to expand their base of customer and dig their claws deeper into their customers core infrastructure. Once they do that they can exploit their customers for years before they’l be able to escape. Since they are frequently going to be competing in “lowest bidder wins” competitions they’re be foolhardy to try and make a profit up front honestly, counter-intuitively it would be lighting money on fire. This is also a product with pretty substantial benefits from scale, as Okta gets bigger more things integrate with them so they’re easy to integrate with so they get bigger…
I’m just wondering who in the industry is still stupid enough to stick their neck out for Okta? Why are they getting new customers? Why not go with the other devil you know your cloud provider to offer mostly the same services? What is Okta offering when they seem relatively incompetent compared to the competition that often offers their products for cheaper up front?
When you're evaluating solutions make sure to look into Authentik too. For my small company needs it was much much easier to understand and setup and it's only gotten better and more featureful.
Authentik takes a little more to set up than KeyCloak, but the effort is well worth it when you go to configure TOTP. Authentik 2FA UX can be quite easy, similar to commercial products.
There are plenty of valid concerns around self-hosting it, but I fear for the future of our profession if things like DNS, TLS certificates and backing up a database on a schedule are now considered hard.
What is a good, alternative, external authentication solution outisde of Okta and their auth0 product, then? I was looking to use their product because I have trusted their ability to manage authentication.
Honestly, I'd rather not self-host anything. Many people, such as Amazon and Auth0 provide services to handle authentication for you, so you're just given a jwt token or session information. I want to pay pennies per user to have it done right(tm)
I didn’t realize it until looking at it just a moment ago, but Auth0 is an Okta subsidiary. They don’t have a stellar record by themselves [0]. I guess that leaves Amazon? That’s not super encouraging.
As an auth backend to an app, perhaps, but the web login forms for Cognito had terrible UX (when we were using it). So terrible that we had daily customer-reported support tickets that we had no ability to fix (short of writing our own full UI).
Also, sharding user records into Cognito pools was a bit frustrating. Hopefully AWS has invested in fixing these issues.
I'm looking at this one and it seems to cover things that I need (admittedly, without a free tier, but what'reyougonnado). I knew about Okta through people in the security space and that's why I trusted it. I don't see anything on Ory's page that seems to explain the audit work they do, etc. Is this something you are familiar with? Or?
Yes, we're using it in production. However, we have deployed our own stack of it. You don't have to use their service if you don't eant to. It's open source, so in a way there is a free tier to it if you can put some work into deployment.
Authentik is easiest to self host and give you everything you would expect in an premium offering, it's opensource and just need a single docker compose command to up and running.
https://goauthentik.io/
(former Userify CEO, so probably a bit biased, but we only focus on SSH/sudo, so not too much overlap)
I agree completely, except with the obvious stipulation that Google seems to be only SaaS and thus extremely high-value target, but Google's security has always been top notch and you can tell they actually care.
Ping Identity seems to be doing pretty well (now owned by Thoma Bravo) and haven't heard of any publicly disclosed leaks.
LastPass has had several well-publicized breaches recently, though.
Google has one of the best security practices and teams out there, so I would agree. They don't need to support legacy systems nor have so many disparate systems like MS has, so they an advantage over MS despite MS having a good security team as well. Only dings on them is service in this area as well as baked integrations (Okta has tons)
Check out ZITADEL— It fuses the best features of Auth0 and Keycloak into a more modern, innovative package. (full disclosure, I'm part of the team)
It's an open-source IAM solution. It offers a cloud-based SaaS option and can also be downloaded for self-hosting. You can try the hosted cloud version for free - https://zitadel.com/signin
It provides:
- authentication and authorization capabilities (including SSO, IdP Federation)
- auditing
- custom extensions
- support for standards such as OIDC/OAuth/SAML/LDAP
- full API support
- various authorization strategies, including Role-Based Access Control (RBAC) and Delegated Access, making it a great choice for both B2C and B2B scenarios.
It mostly aims to ensure ease of operation and scalability (users love the simplicity). The community and team actively contribute towards development and support.
I mentioned it above, but FusionAuth is supposedly good. They offer a paid cloud and free self-hosted version, so you get the benefits of rolling your own without as many risks. (No affiliation with the company on my part, so I can't speak to any specifics - they're just local and I continually hear good things from friends who know and use them.)
Ask yourself why you need it - if it's to handle auth for an SaaS, your web application framework most likely already has a battle-tested auth implementation you can just use.
In this case, introducing a third-party doesn't help. You can still screw up the integration (or merely configuration - a general-purpose IdP has lots of features that may not apply to your use-case, yet misconfiguring them could leave a large security hole without even realizing it), and you are still on the hook for security regardless (if your app is vulnerable, it doesn't matter how secure the IdP is as they can just bypass it).
We're a commercial offering with self-hosted and SaaS options. I don't have a ton of insight into your needs, but it is a solid, well documented external authentication system.
We have a free option available here: https://fusionauth.io/download or you can pay us for premium features, hosting or support.
Keycloak is fairly easy to maintain. I run a deploy in AWS/ECS, and nearly never needs to be touched... except when an upgrade is required. Every upgrade has been challenging, starting with change to Quarkus, followed by removing dependencies from the docker images.
But when it's not being upgrade, it's fantastic. Many thanks to Red Hat.
Because people who don't bother to read the article assume it's a new breach, as we can see in the comments here ("another breach"). I'm not saying that it makes it better or worse.
At this point it might be time to stop using the service handling your company's auth, which is supposed to be the most secure link in the chain, yet is being hacked every quarter.
January, and since it looks very similar to the more recent one (customer support breach), there seems to be a high chance that it's THE SAME, ongoing since at least that time.
It's probably just confirmation bias because authentication system breaches get more coverage, and I pay more attention to them, but it seems like all the big players get pwned far too often. You had one job, buddy. Okta, 1Password, LastPass all had breaches or other failures. With so many self-hostable solutions available, I dunno why small/medium-sized companies trust external third parties.
Jeez the hits keep coming. Every time they have to update about this Oct breach it puts FUD in my mind about this company, that I have never done business with anyway.
They cant get away with "oh shiz we screwed up", this is the essential part of their business. If you're unable to perform the fundamental service you are offering, it's indefensible. Okta having a security breach is like a pizza shop owner who's unable to make a pizza.
Not sure if it's reasonable to expect perfect security, people are fallible so that position won't make you very happy. We'll all get hacked, question is if we make it easy for them to gather private information which in this case didn't seem to have happened. The fact that it wasn't, probably is due to it being "the essential part of their business".
This could be potentially really dangerous. Most Okta customers who would use support would be IT admins. This is a pretty good list to start social engineering to get more information from other customers just by calling or emailing IT members impersonating corporate end users.
One of the most literal cases of "the breach is always twice as bad as the initial disclosure claims" I've seen. Also TIL the dept of defense uses okta that's reassuring for someone I'm sure.
I did not realize it was a $6 billion/6000 person public company. Their product is single sign-on services & they’ve got this bad of a track record? I guess I shouldn’t be surprised anymore
What blows my mind is that they've somehow managed to turn relatively minor incidents that aren't even compromises to their core systems into top-of-the-news-cycle meltdowns.
The Lapsus$ compromise in 2022 was a third-party IT subcontractor getting their spy-on-the-employees RDP popped, and then Lapsus$ using incredibly limited access to the Okta admin tool to take some screenshots of support dashboards. Honestly it could have been spun into a "hey, our defense in depth pretty much worked!" story.
Then, the most recent issue was an employee's third-party password manager getting compromised, allowing an attacker to log in to the support ticket tracker, which happened to contain HAR files with creds in them as well as details on support contacts. I bet a lot of enterprises are vulnerable to this, the HAR file thing is actually a great lesson in a highly unexpected threat vector. But somehow Okta have managed to turn it into a months-long top-of-the-news cycle incident, first by denying the compromise happened at all and then by underplaying the access the threat actor had to the support ticket tracker.
It's the same reason most news stories are shit today. They aren't about conveying information or educating anyone about events in the world.
They are clickbait garbage, meant solely to drive traffic in for Ad revenue and in recent history, they are slanted based on a bias that the owner wants, not any sort of factual, unbiased reporting that one may have erroneously expected from the 4th Estate.
That about sums it up. Journalists either washing the dirty laundry of trillion dollar companies or peddling their product launches for the off-chance of a special scoop in the future. The big sites are definitely no more than this, with very few exceptions for opinion pieces, but even those are heavily being guard-railed against all the “politically correct” nonsense.
Will security companies release enterprise one-use email address products like Apple’s “Hide My Email?”
Hide My Email generates unique, random email addresses that automatically forward to your personal inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private.
"For 99.6% of users in the report, the only contact information recorded is full name and email address."
I can see the retraction already: "We have run a fully unfiltered scan, as opposed to a regular unfiltered scan, and it turns out we released the full age, name, address, and DNA sequence of every customer support user."
Remember, they have to wait until there is literally not chance of the victims mitigating the issue, because releasing the info in a timely manner may affect the next quarter's numbers and the sole consequence will be a fine, paid with other people's money.
Names and email addresses of people likely to be an Okta admin or superadmin in your org....aka a curated target list for your next spear phishing campaign
It's so strange to me that Okta have retained their CSO. None of the recent breaches seem particularly egregious in isolation, but the pattern around bungled communication and failed follow-up investigations is comical.
When we propose our niche SAAS to larger customers, we're sometimes measured from a security perspective on whether we will integrate with their Okta SSO.
The product/company feels like the natural progression of the whole Oracle/Java/JS/SAML schtick, and has become the de facto when dealing with the kinds of people who base their whole company's IT personality on that stack. They're trying very, very hard to make it seem like it's another "no one got fired for buying IBM" kind of decision. Except... oops!
Remember RSA and OPM? The RSA hack had huge implications for the Department of Defense, and was probably a state-sponsored hack (likely China). Around the same time the Office of Personnel Management (OPM) was hacked. So the state-sponsored hackers got to all the private details of anyone with classified access and clearances (which can be used for blackmail or for answering those strange "Who was your 3rd grade teacher?" auth questions to get past an identity test), and simultaneously could hack the rotating MFA codes from RSA.
Auth companies will always be a high value target for state-sponsored espionage.
Fields which may facilitate security questions such as those you quote are explicitly not included in the report run by the 'threat actor'. In fact "for 99.6% of users in the report, the only contact information recorded is full name and email address."[1]
184 comments
[ 4.1 ms ] story [ 237 ms ] threadNot easy to fake that one. I guess you could have a shitty coalfire assesor
Am I missing something, some magic other than sales and gullible pm's?
We should stop saying $X is too hard and start, at least, trying to help more folk realize it can be done in house.
It all started when it became "too much trouble to host your own email" and then all the centralization and vendorification happened...and stay off my lawn!
It's outsourcing risk. Auth is hard, we all know it (yes, it is hard), and it's cheaper to outsource to a company who has it as their core competency, than hire internal experts.
I’m not sure why it comes across as unusual for wanting to outsource a service that is incredibly easy to get wrong to someone whose core focus is getting that right.
Unfortunately Okta seems too eager to downplay these incidents, but that doesn’t mean all authentication services are equally flawed.
It's unfortunate Auth0 was acquired by them. Have used it from the beginning and it used to be a great product before the Okta acq. Now it's just constant sales emails, expensive pricing, not much new feature launches, most features are very enterprise focused, bunch of bugs, frequent outages.
At this point, one could speculate they are not worth almost at all given they fail to deliver on their primary value proposition. They are not and have not been profitable either, only getting worse: https://finance.yahoo.com/quote/OKTA/financials?p=OKTA
I’m just wondering who in the industry is still stupid enough to stick their neck out for Okta? Why are they getting new customers? Why not go with the other devil you know your cloud provider to offer mostly the same services? What is Okta offering when they seem relatively incompetent compared to the competition that often offers their products for cheaper up front?
But self hosting is non-trivial. You have to deal with DNS, TLS certificates, configuring Keycloak, data backups, and redundancy.
I set it up once so I could evaluate it. I may yet choose to self host but I'm not under any illusions that it's easier than paying for a service.
Edit: Elest will do it, https://elest.io/open-source/authentik
[0] https://www.bleepingcomputer.com/news/security/auth0-warns-t...
The downside I ran into is that it doesn't support SAML SSO. It is only OAuth, OpenID Connect, and JWT.
Also, sharding user records into Cognito pools was a bit frustrating. Hopefully AWS has invested in fixing these issues.
Okta's whole value prop was that they do it "right"... Oops.
Our UI is native to your website (no redirects) and the auth logic sits within your backend api layer - giving you a lot more control
Okta is nuts. 5th time in two years. Who the F*** is running that place?
I agree completely, except with the obvious stipulation that Google seems to be only SaaS and thus extremely high-value target, but Google's security has always been top notch and you can tell they actually care.
Ping Identity seems to be doing pretty well (now owned by Thoma Bravo) and haven't heard of any publicly disclosed leaks.
LastPass has had several well-publicized breaches recently, though.
It's an open-source IAM solution. It offers a cloud-based SaaS option and can also be downloaded for self-hosting. You can try the hosted cloud version for free - https://zitadel.com/signin
It provides:
- authentication and authorization capabilities (including SSO, IdP Federation)
- auditing
- custom extensions
- support for standards such as OIDC/OAuth/SAML/LDAP
- full API support
- various authorization strategies, including Role-Based Access Control (RBAC) and Delegated Access, making it a great choice for both B2C and B2B scenarios.
It mostly aims to ensure ease of operation and scalability (users love the simplicity). The community and team actively contribute towards development and support.
You can download it and host it yourself - https://zitadel.com/docs/self-hosting/deploy/overview
Github- https://github.com/zitadel/zitadel
Case studies and testimonials - https://zitadel.com/blog/tags/successstory
In this case, introducing a third-party doesn't help. You can still screw up the integration (or merely configuration - a general-purpose IdP has lots of features that may not apply to your use-case, yet misconfiguring them could leave a large security hole without even realizing it), and you are still on the hook for security regardless (if your app is vulnerable, it doesn't matter how secure the IdP is as they can just bypass it).
We're a commercial offering with self-hosted and SaaS options. I don't have a ton of insight into your needs, but it is a solid, well documented external authentication system.
We have a free option available here: https://fusionauth.io/download or you can pay us for premium features, hosting or support.
Why are companies not running something like keycloak [1] themselves? Are administrative/maintenance costs too high or is it plausible deniability?
[1] https://keycloak.org
But when it's not being upgrade, it's fantastic. Many thanks to Red Hat.
https://www.okta.com/blog/2022/04/okta-concludes-its-investi...
https://www.okta.com/blog/2022/03/oktas-investigation-of-the...
> Today we are sharing new information that potentially impacts the security of our customers
Maybe in another month they will conclude whether or not that “potentially” is a yes or no.
https://en.wikipedia.org/wiki/Okta,_Inc.#Security_incidents
The Lapsus$ compromise in 2022 was a third-party IT subcontractor getting their spy-on-the-employees RDP popped, and then Lapsus$ using incredibly limited access to the Okta admin tool to take some screenshots of support dashboards. Honestly it could have been spun into a "hey, our defense in depth pretty much worked!" story.
Then, the most recent issue was an employee's third-party password manager getting compromised, allowing an attacker to log in to the support ticket tracker, which happened to contain HAR files with creds in them as well as details on support contacts. I bet a lot of enterprises are vulnerable to this, the HAR file thing is actually a great lesson in a highly unexpected threat vector. But somehow Okta have managed to turn it into a months-long top-of-the-news cycle incident, first by denying the compromise happened at all and then by underplaying the access the threat actor had to the support ticket tracker.
It's the same reason most news stories are shit today. They aren't about conveying information or educating anyone about events in the world.
They are clickbait garbage, meant solely to drive traffic in for Ad revenue and in recent history, they are slanted based on a bias that the owner wants, not any sort of factual, unbiased reporting that one may have erroneously expected from the 4th Estate.
What a shit world humans have created.
The table isn't on this post.
Will security companies release enterprise one-use email address products like Apple’s “Hide My Email?”
Hide My Email generates unique, random email addresses that automatically forward to your personal inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private.
https://support.apple.com/en-us/105078
I can see the retraction already: "We have run a fully unfiltered scan, as opposed to a regular unfiltered scan, and it turns out we released the full age, name, address, and DNA sequence of every customer support user."
Source: Most breaches.
Those discussions feel stranger by the day
Auth companies will always be a high value target for state-sponsored espionage.
1.TFA