Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • A History of the Password
  • Beyond Passwords: A Look at Shared Secrets and Their Limitations
  • The Future of Authentication: Passwordless Solutions and Their Advantages
  • Phishing-Proof vs. Phishing-Resistant: Understanding the Difference for Secure Authentication
  • Overcoming Provisioning Challenges in the Quest for Passwordless Authentication
  • Success in the Quest for Passwordless Authentication: Taking a Kaizen Approach
  1. Blogs

The Quest for a Passwordless World

PreviousWhy I am Joining OortNextUnderstanding Azure Active Directory (Azure AD)

Identity has become the last best line of defense and phishing is back on the rise. We can attribute identity-based attacks to at least 80% of the most recent notable attacks. The idea behind all of the recent attacks is to steal the shared secret identifying someone.

In this article, I would like to cover a few of the limitations of our current state of the art of authentication with Multi-Factor Authentication (MFA) and passwords. I’ll then discuss the advantages and disadvantages of FIDO-based passwordless solutions. Last, I will cover what is missing to help us move toward more resistant systems.

A History of the Password

Passwords have been around since, well, people needed to go through walls. In WWII, American soldiers used the password response “thunder” to prove their identity, as it was thought enemies could not pronounce the “th” sound.

The idea is simple: if Alice wants to identify Bob, she will ask him to say a passphrase, something they both know. The same is true for secret questions, I ask something only the real person will know.

Unfortunately, nothing is a secret in an internet, Facebook, and TikTok-based world.

In computer science, most machines take the words you typed, make them into a one-way hash, keep it in a big database, and hope for the best. Because we value protecting the data in rest more than in transit, and we assume the data is encrypted in flight, passwords can be easily intercepted with AiTM attacks and simpler methods like asking for them via email.

So why are passwords still around?

  • They are built into every single OS and system out there

  • Regulation, regulation, and more regulation.

  • They are super easy to create, replace and use.

Beyond Passwords: A Look at Shared Secrets and Their Limitations

The best-known example of a shared secret is the caesar cipher. In this cipher, you simply move your alphabet a few characters back, such as in the below.

Unfortunately, in the computer era, guessing such ciphers is easy. But the idea is simple. There is a well-known method, but we both have the same key. Key fobs and digital fobs work the same way; they present a number based on time or event and present a number. The algorithm is based on a seed secret.

In most cases, if you know two consecutive codes, you can guess the next number fairly easily. How about we don’t share any secret at all? We can just hit OK on the phone, I can even force entering some verification code. But the idea remains the same: I have an SSO application, it sends a secret to a phone application, and that (as well as other parameters) is used to authenticate.

This seems awesome, so what’s wrong with them? Well, not much besides several big issues:

  • Not all factors are born equal. While SMS and phone calls have a server-side seed shared secret, the infrastructure that they run on has been compromised now several times.

  • MFA flood. MFA flood attacks are now very common. These attacks will overwhelm the end user with notifications until they are fatigued enough to accept the prompt. Check out the video below for more detail on this.

  • Phishing attacks. Attackers are now asking for two consecutive codes as part of their phishing campaigns. The phishing pages are designed to look like a token registration site.

  • Privacy issues. Most of the effective technologies require installing an application on your phone that tracks usage, location, and other PII.

  • Provisioning. Assigning a fob (or two if you need backup) to every employee takes time.

The Future of Authentication: Passwordless Solutions and Their Advantages

FIDO Alliance diagram of multi-device vs single-device credentials

We’ve seen plenty of progress. Interoperability means using a standard agreed upon between the hardware vendor, Service Provider, and IDPs, allowing for wide ecosystems and avoiding vendor lockdown between IDP and authenticator provider. The latter allows for better privacy, allowing OS vendors such as Google, Apple, and Microsoft to remove the need to install a dedicated app.

Using PKI (Public Key Infrastructure) also improves privacy as the token is unique to an application and Authenticator pair. It also opens the opportunity for tight device binding without needing a VPN.

Despite all of these advances, many of the old issues remain. You still need to get the fobs in peoples’ hands, and there is no magic. There are last-mile services that include identity verification, but try doing that in a global company with a distributed workforce is tricky.

Phishing-Proof vs. Phishing-Resistant: Understanding the Difference for Secure Authentication

I recently heard somebody use the analogy of watches to explain how phishing-resistant these new forms of authentication are.

A “water resistant” watch will resist water to a certain degree, but not entirely. In fact, if you submerge some of these watches, you will almost certainly experience water damage. However, if a watch is waterproof, you can submerge, swim, and dive without any water permeating the watch.

Similarly, these new forms of authentication are not phishing-proof. Instead, they are phishing-resistant to varying degrees. Several types of phishing can still be successful:

  • iCloud Attacks. Passkeys are synced with iCloud Keychain, making them available across all Apple devices. If someone is logged in to your iCloud on their device, they can now use those passkeys. This isn’t specific to Apple, either. This is possible with Google Sync.

  • Session Hijacking. If attackers target your session cookies and hijack your sessions, the strength of your MFA factor is irrelevant.

This doesn’t mean you shouldn’t shift to phishing-resistant factors: you absolutely should. Just be aware that this will not make you immune to account takeovers. Of all the types of phishing-resistant, passwordless provides the most exciting option for reducing the risk of phishing.

Overcoming Provisioning Challenges in the Quest for Passwordless Authentication

The rise of passwordless shows that we’ve made some great progress on the security of the technology for authentication. This will mean the weak spot now moves over to the human element. Specifically, I’m referring to the provisioning and reset process.

The first issue is a logistical one. How do we get everyone registered? How are those delivered? I just met a customer from the RSA days who had to refresh 250k tokens.

Second, how do you initially verify the identity of the user?

Third, no matter how strong the method, you will need to reset the MFA. Physical factors are great until you leave them in the car or (as you can see below) they break. How do we reset these factors in this case? How do you know that when someone calls and says they lost their phone, it’s them?

Finally, we will need to find ways to deal with the problem population. This will require flexibility in how different users authenticate and provide different solutions that suit their needs. Companies often will enable SMS-based authentication as an option for a small number of users, only to find 50% of the workforce have registered SMS and are using it as their primary method. ​​

Success in the Quest for Passwordless Authentication: Taking a Kaizen Approach

There will always be exceptions and excuses, but we need to get 100% of our workforce to adopt phishing-resistant. This won’t happen overnight. I recommend taking a Kaizen approach – incremental improvement adds up to substantial change over time. If you’re stretched on time, then prioritize. Start by enrolling the most targeted accounts and those with access to most data, such as administrators and executives.

At the same time, we must remember that this does not make us infallible, and there will always be attacks that make it through. We need to continue to apply a defense-in-depth approach to identity security and, bit by bit, improve our identity security posture.

Modern passwordless solutions are based on the Fast Identity Online (FIDO) set of standards. In their own words, “ FIDO Authentication provides a simpler user experience with phishing-resistant security. With FIDO Authentication, users sign in with phishing-resistant credentials called Passkeys can be synced across devices or bound to a platform or security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.”

AirDrop. Ease of sharing is nice, but with the new ability to , the risk of someone else accessing your accounts increases.

Ryan Rowcliffe, CTO of , recently sat down on the Didi and Lital Podcast to discuss FIDO and Passwordless. Watch the video below!

passkeys.
share passkeys over AirDrop
HYPR