Okta is at the forefront of the fight against identity attacks. Product, engineering and security teams continually innovate our technology platform to protect our customers.
Okta is committed to lead the industry against identity attacks.
In this blog post I’ll review recent Security enhancements on Okta Admin Console available for all Okta Identity Engine orgs.
Enabling Features
Many of these features are early access (EA) by the time of writing this article. Once any EA feature is assigned to an org, you will see it in Okta OIE Admin Console under the menu Settings > Features list to be enabled.
Prevent new single-factor access to the Admin Console
This feature is key to prevent admins from configuring any new single-factor access to the Admin Console that may lower your org defenses.
There’s no impact to any existing rules that allow single-factor access.
Protected Actions in Admin Console
The protected actions feature provides an additional layer of protection to your org. It prompts admins for a Step Up authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. See Protected actions in the Admin Console.
These are the current protected actions for the Admin Console:
- Configure protected actions
- Create or modify external IdP
- Grant and revoke the super admin role
- Reset a super admin’s authenticators
- Reset a super admin’s password (and sign them out)
- Expire a super admin’s password (and sign them out)
- Expire admin passwords in bulk
- Reset admin passwords in bulk
Once enabled you can configure Protected Actions with the following steps:
- In Okta Admin Console, go to Applications > Applications.
- Search and select the Okta Admin Console app.
- Click the Protected actions tab.
- In the Select protected actions section, select the actions that you want to protect.
Click Save configuration.
Detect and block requests from anonymizing proxies
Okta Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org avoiding Admins to mask their source IP address and location.
You can configure the feature with the following steps:
- In Okta Admin Console, go to Security > Networks.
2. Add a Dynamic Zone
3. Type a Zone name
4. Check Block access from IPs matching conditions listed in this zone.
5. Select location type from Locations list
Network zone allowlists for SSWS API tokens
Okta Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.
You can configure SSWS API Token allowlists with the following steps:
- In Okta Admin Console, go to Security > API.
2. Tokens
3. Create Token
4. Type a friendly token name
5. Select network locations restrictions to call APIs using this token.
Admin sessions bound to IP address
The Security > General > Organization Security page has a new IP binding for admin console setting that is enabled by default. This setting associates all of the admin sessions in your org with the device IP address. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. This setting can be disabled, but Okta recommends keeping it enabled as a security best practice. See General Security.
Enhanced security of Okta Verify enrollments
The Higher security methods option on the authenticator configuration page ensures that users enroll in Okta Verify in a phishing-resistant manner. With this option, users can’t enroll with QR code, email, or SMS link. See Configure Okta Verify options.
You can configure Higher security methods for Okta Verify with the following steps:
- In Okta Admin Console, go to Security > Authenticators.
- Select Okta Verify from the list
- Scroll down to Enrollment Options
Okta Verify user verification with PIN or passcode
The Okta Verify enrollment may rely on biometric verification, which presents challenges for users whose devices don’t support biometrics. To address this limitation, Okta Verify now supports user verification with device PIN or password in addition to biometrics. This enhancement broadens accessibility, enabling all users to authenticate with Okta Verify and Okta FastPass, regardless of their device capabilities or configuration.
See Configure Okta Verify options.
You can configure Higher security methods for Okta Verify with the following steps:
- In Okta Admin Console, go to Security > Authenticators.
- Select Okta Verify from the list
- Scroll down to User Verification Options
Granular controls for authentication policies
You can now disallow or allow individual authentication methods for an authentication policy. This gives admins more granular control over access to apps.
You can set granular controls for authentication policies following these steps:
- In Okta Admin Console, go to Security > Authentication Policies.
- Select an authentication policy or create a new one.
- Edit an existing Auth Policy Rule or create a new one.
- Scroll down to Then and authentication methods
- Select Allow specific authentication methods
- Choose desired authentication methods to allow.
Require possession factor before password during MFA
You can now require users to verify their identity with a possession factor before a password or other knowledge factor during MFA.
This is a key security measure to help protect your org against password guessing or spray attacks. See General Security. In Okta Admin Console, go to Security > General > Protect against password-based attacks and enable Require possession factor before password during MFA.
Unknown devices detection using fingerprint
Admins can now configure how unknown devices are treated based on the presence of a device fingerprint. In Okta Admin Console, go to Security > General > Protect against password-based attacks and enable Block suspicious password attempts from unknown devices.
