Skip to main content
close search
site logo
Dive Brief

Okta CEO pushes for passwordless future in wake of phishing attacks

Customers that rely on passwords and log-in pages are putting their organizations at greater risk of attack, Todd McKinnon said.

Published Sept. 2, 2022
Matt Kapko's headshot
Senior Reporter
An octopus floats, depicted in a deep blue background
TheSP4N1SH via Getty Images

Dive Brief:

  • The persistent phishing campaign that tricked some Okta customers into sharing their credentials with a threat actor on spoofed sites earlier this month lends further credence to the need for a passwordless future, according to Okta CEO and Co-Founder Todd McKinnon.
  • “We need to move to having no password,” McKinnon said, describing it as Okta’s vision and a paramount need for its customers. Okta’s platform can help organizations meet that goal, but they have to apply the proper configurations, he said Wednesday on Okta’s earnings call for the fiscal second quarter, which ended July 31.
  • Okta’s configurations allow customers to secure data and account access via passwords or a passwordless state without a log-in page or password. The more strict approach can also require employees to use a cryptographically verified work device to gain access, McKinnon said.

Dive Insight:

The security onus remains on Okta customers, according to McKinnon. The level of control and security measures imposed on employees that use Okta to access corporate accounts are determined by each customer’s configuration.

Baseline controls aren’t enough to thwart adversaries. Threat actors initiate phishing attacks against Okta often due to its scale, and customers that opt for less secure configurations are more susceptible to attack. 

Organizations can benefit from an “unphishable configuration” of Okta, by doing away with all passwords and log-in pages, McKinnon said.

Threat actors behind the Oktapus campaign, an operation Okta prefers to call Scatter Swine, used text message phishing and fake Okta log-in sites to break into multiple organizations’ accounts. McKinnon said at least 130 Okta customers have been targeted.

Attackers phished for passwords and other less-secure means of Okta authentication such as one-time passwords and text message tokens to break into targeted organizations’ systems.

“The unique thing about this one is not that they targeted Okta customers, but that for a few customers it actually worked and they got in,” McKinnon said. “It usually doesn’t work, but this was a novel approach so it worked on a few customers.”

McKinnon said Okta needs to do a better job explaining how organizations can configure Okta accounts to balance their appetite for risks on a per-resource basis.

Filed Under: Strategy, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell