Okta: what is 'contextual' access management?

Okta’s technology is used by developers to put a pre-architected layer of authentication into software applications used on traditional desktop, web or mobile environments.

As a result of the above statement, we generally don’t refer to Okta as a ‘security company’ – rather, we refer to it as an ‘enterprise identity’ specialist.

The company now suggests that organisations could (and we quote) “replace passwords” via stronger authentication controls for employees and for those partners and customers that integrate (or come into contact) with the core enterprise IT stack.

The company now offers new ‘contextual access management’ features.

What is contextual access?

To explain what contextual access management is, this is the action of ‘combining signals’ including information describing the device used, the geo-location of the device, plus also its ‘network context’ (i.e. what the user-device-data action caused the network to do, process and record in terms of log files and so on)… and combining those signals with threat intelligence from across Okta’s own ecosystem.

In Okta’s case, it performs this action using its new ThreatInsight functionality.

The proposition here is that this could be used to eliminate the login password as a primary factor of authentication.

ThreatInsight will be available in both Okta’s new Adaptive Single Sign-On (SSO) and enhanced Adaptive Multi-Factor Authentication (MFA) products.

“The best password is no password at all. Today’s threat actors are targeting the weakest point of your company’s security – your people – and too many are successfully compromising employee accounts due to poor or stolen passwords,” said Todd McKinnon, CEO and co-founder, Okta.

McKinnon explains that his firm’s technology is using signals across a user’s login context as well as insight from across its own ‘ecosystem’ to improve an organisation’s ability to set stronger access controls.

Okta says that its incident response team sees and takes action against threats and suspicious activity across its branded network (the company would rather us say ecosystem) of over 4,350 customers and 5,500 integrations.

Okta ThreatInsight is a brand label designed to show that the firm’s customers can get access to the combination of intelligence on offer here. Once a company get this information, the can decide what actions to take based on their ‘risk tolerance requirements’. Once customers set policies that fit their needs, the risk-based assessment and response is automated, allowing them to automatically step up authentication based on the intelligence provided.

“Okta has made investments in device-based access controls, extended its Adaptive Multi-Factor Authentication (MFA) solution to cover cloud and on-premises technologies – and increased intelligence into identity-driven threats. By blending these context signals and Okta ThreatInsight, Okta Adaptive MFA is able to determine risk and make dynamic access decisions. In addition, because Okta Adaptive MFA is able to use these signals to build a stronger risk profile around a user, an organisation can eliminate the password as the primary authentication factor,” said the company, in a press statement.

Low, moderate, high-risk

Examples of how IT administrators could set contextual access policies both for people in their enterprise ecosystem and in their digital products for customers include:

  • If a user attempts to authenticate from a recognised IP address, on a known device and on the company’s corporate network, the user would be considered ‘low risk’ – and the user would not be required to enter a password in order to login. Instead, the user would be prompted for an alternate factor, such as Okta Verify Push.
  • If the user attempts to authenticate from an unmanaged (though known) device but in a new location, the user would be considered ‘moderate risk’ and be prompted both for a security question and a second factor, such as Okta Verify.
  • If the user attempts to authenticate from an unmanaged and unknown device and from a connection with a high threat level, the user would be considered ‘high risk’ and Okta would disallow access.