Oktane18: Okta Security Roadmap

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everyone I really appreciate everybody coming out today my name is Alex Povey I lead product management for security products here at octa and I'm excited to tell you about where we've been and where we're going - and I'm joined by a by Samuel Lane I'm Samuel a non the director of product marketing for security products here at octave and I'm going to be showing a little bit of where we came from and then show you a little bit where we're going great so they make us put this boiler plate in front of the presentation but this is a roadmap content so just be advised that these are forward-looking statements before we do get into that I wanted to touch a little bit on where we're coming from this last year was pretty exciting from an adaptive authentication standpoint hopefully we've got a lot of adaptive off customers in the in the audience if not you should take a look at it but we shipped a lot of great features that I think really start to get us more adaptive capabilities when it comes to authenticating users things like new geo location detection new IP new device impossible travels a beta that we currently have today available and hopefully what you'll see as we go through this roadmap presentation is really how this context in these signals start to really form the basis for a powerful engine that allow you to reduce friction and improve usability for your end users so these are this is just the beginning we've made of a lot of advancements this year but I expect that that a lot of these stories and capabilities are going to be coming together holistically this year to just create awesome experiences for your end users that are very secure also this year we really focused a lot on improving our existing MFA integrations and adding new surface area to our MFA product portfolio so things like supporting anyconnect VPN natively through our oh I n you can go into opt integration network today you can find a plethora of VPNs that are supported over radius great documentation linked off from those VPNs in terms of how to set them up configure deploy them at scale and the best practices associated with that we also launched support for Active Directory Federation services so if you are using a DFS on-premise your IDP for single sign-on you can still leverage Octus best of anaphase solution and use it in that context as you think about consider whether or not you want to move to the cloud for identity and this you know just to kind of round this off I think the other point that I just want to bring home is that we've also the team's been super hard of work just building lots of great security features across the board you know we've shipped improvements to our SMS deliverability radius capabilities new MFA integration surface area a new factor experiences really across the board so I would encourage you to definitely talk to your your CSM look at octaves website look at the features and our documentation and just sort of understand what's available it makes there's a lot there that you may or may not be taking advantage of within your within your tenant today so without further ado I'm going to hand it over to Sammy and he's going to do a little bit of a demo just around some of the functionality that that's currently in production all right and for all those folks who are still streaming in if you're standing back there in economy - there's still business class free upgrades available here at the front row so come on down so you can see a little bit better I wanted to focus on a couple of things only of all the things that we've shipped this year because if you if you need something like for example a palo alto integration or a citrix integration you already know you need it so you're going to go and get it and find it but i'm going to show you a couple of things that you may not know that you need but i encourage you to take a closer look at we have a couple of things here in early access specifically around behavior detection that i wanted to highlight these are the things that make it possible for you to create now new differentiated policies that look at the context of the access itself for example if a user comes in from a net new device that that user has never seen from before you can create a specific policy for that and that policy allows you to then say i create a behavior detection rule and then I can go in and create an authentication sign on pawza for example that takes that rule into account similarly I can create policies around the users IP address and I want to show you something else also users location you can for example say that I want to say argue within 50 miles or 80 kilometers of the same place that we've seen you before you can do this based on the actual locations where the users are coming from and start creating a behavior pattern where this user normally logs in from if they're not at home or at work or at the Starbucks where they go to escape from work to take a vacation from their desks then you want to know about that and challenge that users are potentially to be the different challenge at that point so you can create these rules here and set the actual radius say let's call this 80 kilometers 50 miles we're using kilometers of course because we're civilized right and we evaluate this against how many often the case you want let's say last 40 now I can say save this rule and I can then take that role into my authentication sign on policy and on my sign on policy for example for my administrators I can create that new rule and now say behavior and look at that location that I just created and add that in this makes it easy to create graduated rules that really show what is the actual risk for this access and take that context of users access into account there's many more things that we've done that might be interesting another aspect of this is also I want to highlight for you is we now have available to you things like detecting where the user is coming from a anonymizer if they're coming from a proxy maybe a tor network node may be a bit announced in the VPN provider or something like that and you can create Network level policies for those so these pauses like we showed you last year don't have to be just static IP addresses of known corporate networks they can also now include country level things they can include dynamic things like anonymizer etc and with that I wanted to then bring it back to Alex and we'll go into the future thanks Amy great so I like to kick off all the security roadmaps and if if folks in this room have been to the previous security roadmap that I've given over the last couple years you've probably seen this diagram albeit it's prettier this year because we spent some money updating the slide but I the reason I continue to go back to this is that I really do fundamentally believe that this is it's the crux of security from an end-user standpoint it's all about trade-offs and it's about trade-offs between usability security and deployability octa offers a wide range of policy configurations and capabilities and authenticator experiences that allow you to strongly and securely authenticate your users but at the end of the day there's just trade-offs associated with those different authentication experiences in terms of how you can deploy them is it hardware based is it knowledge based what are the trade-offs associated with that and what it what's the security profile of how you can authenticate those users and so keep this in mind but I think what I'd like to do at the end of this is hopefully bring it full circle and show that a lot of the investments that we're making we're actually trying to trying to blow this up a little bit we're trying to get to the sweet spot of where you can actually achieve better security without the same usability trade-off without having to add friction and the security experience for your end-users and so we'll talk through what that means we really think about our security roadmap in terms of three pillars of investment areas one is around securing everything the second is around factors enrollment in recovery increasingly this is a really important area for our customers thinking about how you securely bootstrap your users into new credential enrollments and then the third is around adaptive authentication how do we use those experiences to reduce the friction for authenticating your users and securing your users let's jump into secure everything first this is probably one of my my favorite slides and transitions in this presentation but you know suffice to say octa was really born and built in the cloud you everyone knows this is a leading iodized vendor when neutral we're sort of the Switzerland of integrations we'll work with with many different organizations and partners and technologies and really our goals to try to connect that all up particularly as it relates to our MFA and our strong authentication solution though we recognize that customers are on a journey customers around the journey from their on-premise solutions and investments and environments to that cloud world and at the end of the day you can't just end-of-life everything that's on prem you can't completely transition away from your VPN or you can maybe you know you stuff to protect those on Prem resources and and capabilities and so we've really been focused on helping our customers bridge those investments so take our aughtta adaptive MFA product capability take that Best of Breed you know cloud-based and that face solution capability and bridge that to your on-prem environment whether that's supporting your VPN supporting your on-premise servers whatever it might be we want to make sure that we can help you transition and continue to leverage as seamlessly as possible what you've already invested in so with that in mind we've we've bucketed these integrations into kind of four categories and these are things that you've probably seen us make progress on previously but then we're continuing to invest in all these as we move for it as well the first category is on Prem IDPs so we recognize that a lot of customers aren't going to necessarily modernize their IDP right out of the gate they're not going to move to the cloud for identity necessarily some customers will and that's great a lot of our customers have historically done that and that's that's awesome but at the end of the day sometimes you need to support that hybrid scenario maybe maybe the key requirement for you is solving a phishing or a compliance problem and you want to go with octaves and the PHA product to solve that problem but you don't want to necessarily wrap that into an SSO project right out of the gate or you don't want to take your IDP and move it to the cloud in that case we want to support you in that model and so we've been working to integrate with some of the traditional on Prem IDPs to support to help you bridge that gap and and maintain that existing investment without having to modern or change all of your investments overnight where you can instead just adopt that MFA product out of the game so today we support Active Directory Federation services as an MFA plug-in capability and we're working on things like working with ping and Oracle as well to support adding MFA to those solutions the second category is is VPNs and network based environments so things like Palo Alto Networks Cisco VPNs really what we want to do is make sure that these are Tier one supported experiences so that you can go to octa you can discover them in our integrations Network and that you can seamlessly add that and deploy the solution or in deploy out to MFA alongside those solutions the third bucket is just independent software vendors so folks like epic particularly with Aggie prescription solution we want to make sure that you can use Octus MFA solution in some of these point is be centric solutions and then the fourth bucket is for machines and infrastructures and servers so things like supporting remote desktops maybe you have a compliance requirement around PCI compliance you need a to FA to your remote servers maybe you've got UNIX boxes on paramah in the cloud you want to add to a fate of that sagt has been making investments there to allow you to add strong authentication to your machines along the lines of the MFA only third-party IDP integrations again we want to make sure that we can help you transition seamlessly impossible and continue to leverage that on Prem investment and so again focus here is is really around interoperability and so we've built a plugin for the ad FS environment we're working on additional integrations with Oracle and ping as well touching a little bit on just overall as well are a really thought process on these MFA integrations and particularly I think with respect to some of the VPNs and network based integrations is we've really focused on making integrations that just work so really streamlining that experience before without you know you could add our MFA experience to your on-prem VPN but it might a lot of kind of lifting up the hood and trying to figure out how to connect those those technologies together to make it all play well together but we've really changed that experience and it started with the oin it started with great documentation so today you can actually open up our application catalog you can search for Palo Alto Networks VPNs you can find the radio space VPN you can find the San Louis VPNs you can find you know Cisco anyconnect VPN you can add that to your list of applications you can assign users to it we link off to documentation that documentation has been vetted and created in a test lab environment and we've got great screenshots that actually walk you through very explicitly not only what to do in octave service but what to do in the actual technology that you're trying to connect with our service and so we're really focused on trying to kind of handhold and make sure that you can get up is up and running as quickly as possible with those additional integrations with that in mind as well they're also fully supported so we have a support team that's able to spin these environments up in a lab so if you run into an issue if you're having trouble getting something configured we can actually support you in that journey again with octave the goal is really just to make this as seamless as possible and to just make things work as easily as possible out-of-the-box in the fourth bit in kind of what underlies all of these investments is really our underlying infrastructure and tech in our platform approach for actually adding MFA to different technology service areas and so we've invested in a developer toolkit in capability that allows you to add in a fatal it's any application this is actually what we're building all of our integrations on and so what we'll do is we'll expose that to our customers so let's say that you have a let's say an on-prem application that you want to add MFA to maybe it's not available in our integration that we're catalog it's not something that we support from a first party experience but you really need to protect that application you can easily grab octaves developer toolkit you can leverage our oin to add a custom integration and you can just hook that right up and you location and leverage octa strong authentication capability within the existing application so again the goal here is just to make sure that we we seamlessly support all of your infrastructure your technologies and we make it really easy to add our strong authentication capabilities to to all of your technologies and just to close this out kind of where we've been and where we're going this year particularly last six months were we're big for us in terms of shipping some of these new integrations so we shipped Cisco anyconnect citrix netscaler radius base support Palo Alto Networks Microsoft ad FS we have a credential provider for remote desktop so if you need to protect remote servers you can do that today using using octaves MFA product and then in the future we're just continuing to push that forward so continue to look for great things for us or great things from us and and let us know if you have interest in additional integrations that were not covering it would be happy to to chat with you about that so that's really securing everything again it's taking our MFA product capability and making sure we wire it into your environment making sure that we can help connect all of your different technologies together and all the different surface area of your your networks machines devices applications whatever it might be and to leverage octa in those scenarios the second area that I'm super excited about is factors enrollment in recovery so increasingly as you think about the security landscape and sort of you've you know step one is how do you make sure that you just prevented things like broad-based phishing attacks and credential breaches using strong authentication capabilities really the the problem statement begins to shift and change - how do I strongly enroll the user in the first place how do I make sure that I secure their recovery so that someone can't be socially engineered to the helpdesk from a recovery standpoint and so we're starting to focus on how we solve these problems to make sure that we're addressing the weakest link in the daisy chain because pretty pretty soon particularly when you get to pass robust experiences the weakest link in the daisy chain is actually the recovery in the enrollment process in the first place so we have to make sure we solve those problems this is a little bit of a a slide I like to use just to kind of talk about the importance of thinking about some of the different assurance across some of the different factor experiences that we support so octa we made a lot of investments over the last two years to support just a wide range of different factor type experiences from the low to the the high assurance modes and this is really important in the context of that that initial slide I showed balancing usability security and deployability because fundamentally each of these different factor experiences has very different attributes across those three dimensions so things like security questions and passwords incredibly usable I don't know anybody who doesn't know how to type in a password we've been pretty programmed to be able to do that through our lives pretty deployable meaning an application developer knows how to deploy those and use those from a security standpoint I think we've all realized they're not particularly the greatest because they can be written down on a piece of paper and put on a laptop or they can be fished or they can be told to someone and so you know but that being said I think there is a place sometimes for lower assurance credentials particularly as you think about the the security and the risk profile of the users who are authenticating and maybe some of the constraints that you might have around different populations of users maybe the users don't have access to mobile phones or hardware devices or you know it's cost prohibitive to be able to deploy some sort of a hardware or token-based solution for authentication but the point here is that we're really supporting that wide range of factor experiences and so when you take this and you look at this in the context of our adaptive authentication capabilities hopefully the story starts to come together in terms of how we're blending those contextual signals with the factor and the assurance with a different factor experiences to get the right level of assurance for your authentication on that note with the factors one of the ways that we're maturing these factor experiences is really looking at genera sizing some of the different factors that we support today so today we have a Google Authenticator factor type which is really a totp based implementation but we want to make that you know a generic Tod based experience from an admin and an end-user experience we want to allow you to procure hard tokens from a vendor if you'd like to that just that uses standard TOTP based algorithms for generating the one-time pass codes and actually import those seeds and secrets in the doctah into the octo admin panel provision those tokens to your users and help you help you use those hard token experiences with third parties if that's what you wish to do so we're investing in genera sizing that experience similarly and this is kind of a theme you'll see across our factor experiences is really taking them and moving them to the you know moving them forward in terms of being able to leverage them across different surface areas similarly what we're doing is we're taking our octopus verify experience and also making that a generic push experience where you can do an out-of-band baste verification of a little piece of data Ananse using the push channel so this is something that we've internally called a ought to push verify SDK experience but really effectively what we're doing is we're saying that that octopus verify is just an implementation of a push verification how to band based verification via the octo service just using our native octave verify application but there's no reason that we can't allow you as a customer to instead of pushing that to the octave verify application push that to your consumer mobile application or your partner application or whatever it might be to do that push verification in a branded way through your website so this is a scenario that we hear a lot particularly from our platform customers who want to maintain a branded experience or want to be able to do transactional verification to their existing surface area their existing mobile surface area for their end-users and then another area that I'm particularly excited about is around web authentication and phyto how many folks in the audience have heard of web often okay quite a few that's awesome how many folks have heard of phyto while I'm at it how many how many folks have deployed u2f and production this is just more personal interests okay so in octave we are super aligned on Fido many times I'll get questions and say what do you know what do you guys think about Fido are you in but you know do you think this is the right pattern you know do you believe in it absolutely so what Fido really did which i think is super interesting is it abstracted the verification of the credential with the relying party which is octa from the authenticator experience itself and so it means that you can bring a strong Authenticator like a Yubikey hard token to the octave service you can self register it with the octave service and then you can verify it for step-up authentication and that verification is really powerful because it's origin bound which means it can't be fished so that means if someone tries to Fisher users using octave bad-guy calm or something like that and actually tries to do the verification and then replays it against the octave service it's not gonna work because it's bound to the the bad guy domain not the octave domain but more importantly in what's really exciting is that web off end actually started to solve some of these problems of external authenticators as well as on device Authenticator so we're starting to see a really robust ecosystem evolve and around how do we how do we build in strong authentication to hardware devices in particular so Windows hello I think is a great example of a non device based hardware authentication solution using a biometric to unlock a private key and a TPM that can be used to verify the user up to the octave service and even in that scenario if you're using a pin code to unlock Windows solo one two three four five the real eyelet the reality is that from a security perspective it's much much much better because they're the only attack that you really have to try to hack that users to physically steal their laptop and then to guess that pin code over and over again and and I've said this before kind of say it again but if if as an industry we've reduced the attack surface on our customers to physically stealing phones and devices that's a pretty good security model to have at the end of the day what we want to do is we want to solve these broad-based phishing attacks and we want to we want to solve these broad-based credential theft attacks and so web authentic rFactor experience and make that more generic so we've heard a lot of customers say how do we enter you know how do you interoperate with this identity proofing company or how do we create a better integration over here how do we support multiple security questions or whatever it might be so octave supports a native factors today we do integrate with third party in the face solution so if you've got your own MFA solution we'll work with them but really the question for us then is how do we interact with sort of third party authentication and identity proofing solutions scale ibly so how do we build a platform that allows you to integrate those solutions with the octave product so this is experience that we're calling a custom factor experience and what this allows us to do is to make a call out via sam'l or OID C to a third-party authentication solution and then use that for a step-up authentication or use that anywhere in the octave product that you would use a factor experience so when you think about how we start to solve things like you know credential enrollment maybe you've built a homegrown knowledge based authentication solution that checks the last four digits of someone's social security number who their manager is has some workflow whatever it might be you can take that experience you can build it you can use it in the octave product to bootstrap the credential enrollment in recovery process so you now you're starting to see how we're really trying to solve that that secure enrollment in recovery solution by allowing you to drive you know maybe higher assurance identity you know more identity proofing driven requirements during the enrollment in recovery experiences and/or just mix and match those throughout the octave product so be able to use this maybe if the user forgot their mobile device they can use that experience to you know do step-up authentication to the octave service so it starts to unlock a lot of really powerful scenarios in terms of using opt as a platform for authentication leveraging our existing workflow experiences and policy frameworks pulling in third-party authentication solutions whether those are off-the-shelf providers or or something that you've homegrown so I'm personally super excited about this in some of the scenarios that this starts to unlock for our customers and this just touches on that a little bit more so we really want to solve again that identity proofing enrollment verification recovery process and do it in its scalable in a secure way we're also starting to think about how we need to evolve the policy framework around credential enrollment management in particular and so doing things like targeting specific applications and whether or not you can enroll when you're accessing those applications how often and when we should prompt the users to actually enroll in credentials so you can drive that mask credential that mass MFA rollout problem statement for users at large and then obviously the identity proofing capabilities that I just mentioned there the last area that I wanted to touch on is around adaptive authentication and adaptive authentication we like to think about in terms of well first we kind of frame it up in terms of contextual access management and contextual access management is just really a fancy way of saying let's look at all the different contexts coming in around the authentication and then let's drive the right security requirements to authenticate talk to service based on that context so you've seen this make investments around network context things like network zones we've seen this make investments around location context so we can do Geographic based policy decisions you know locations you're logging in from we can do new location detection you've seen us make investments around device context our device trust feature we have a new device detection feature we actually fingerprint devices now from the browser send that to the Optus service and build a behavioral profile around those users and the devices that they're authenticating from but what we're doing with all that context is you can build static policy on it today but eventually we also want to make that just easily consumable from a risk standpoint so we're gonna take all those features all that context we're building and pulling out of the authentication context and we're gonna deliver a risk or capability that just allows you to say look I want to just get a single score and say if the user you know the user is authenticating and it seems to be very risky do X and that's also kind of hopefully a lot of folks heard about the octave thread insights feature that we launched today I'm personally very excited about that feature but that's a part of that story as well and then to tie this all together you've got the context from the authentication what we want to be able to do then is drive that adaptive response so today what that adaptive response looks like is prompting for a second factor or allowing and denying access but what we're announcing today at octane and where we really kind of changed the game is around this custom factor sequencing capability that I'll talk about in a second here just to double-click a little bit on off to thread insights I think this is just such a natural story for us to tell the reality is octaves the service we see attacks across thousands and thousands of customers and billions of authentications a month consumer websites enterprise sites the whole gamut and we see you know broad-based phishing attacks password stuffing attacks you know credential theft attacks password spray you know a whole night the whole gamut of credential based attacks on our service and we have this intelligence today well we want to make it what we want to make is that intelligence accessible for you as an admin to make smarter access decisions on so eventually we'll fold that in the risk or you can also use that in the static policy and then you'll be able to use that to drive the adaptive response capability on that note with adaptive response capability really the goal is to kind of split the the access management policy in the two pieces you have your context pieces that I just talked about around location and IP address device you know risk threat signals things like that and then instead of just saying step up or deny or you know restrict the session length really what we want to say is the risk that we observe this users low or high how do we need to authenticate this user in a way that that makes us feel like we've ameliorated that risk we've addressed that risk from an from an assurance standpoint with the credentials that they've presented because the credentials that they presented are secure enough to prove sufficiently that they are that user regardless of what their risk actually is and so this is a feature that we call factor sequencing it helps power our password list experiences today or the password experience that we actually demoed at octane today and what's great about it is it really allows you to completely mix and match those factory experiences in octave so maybe if the user is authenticating in a high-risk scenario you're going to require you to a factor and then a password is a second factor or if it's a low-risk scenario maybe you can just ask for a password whatever it might be again you kind of mix that context and then drive the policy as you see fit and with that we're gonna pass it back over to Sammy to actually demo the factor sequencing feature so let's take a quick look here at an organization where I've turned on this factor sequencing capability I have here an engineering group within my org and I've set up a policy for access from different kinds of locations requiring different kind of factor sequencing so here I have a different policy form coming from anonymized access if I'm using tor network if I'm coming from a VPN or something different one for outside of the headquarters and one inside the network inside the headquarters and it results in a different user a different user experience so let's take a look at that I'm here as Heidi Noland I'm an engineering VP I'm about to login to my system but I'm actually coming from an airport Wi-Fi and I turned on my anonymizing VPN so that I can be secured in this high threat environment that I'm logging in from you notice that I only see the IDP discovery style login page here where it's simply a you know username and that I'm being prompted for when I click Next the fact the sequencing will then determine my context where I was at the time what network I'm coming from and realizes that the right policy here is to ask for something secure now you'll notice that I know before password unprompted for a u2f security key fight or token the reason we're doing this of course is that this allows us to not even expose any kind of password guessing or any annoyance like getting random people trying out user access and are sending SMSs to the legitimate users of push notifications so I'm gonna start with something here that's strong so with that I'll just reach out into my security key pocket if you want about that small pocket hearing of Jesus ports for your security tokens little-known fact let me plug that in here authenticate and now since its high for environment it also wants me to do the push verification I'm going to send the push here and when the push comes to me I can simply approve it from here I'm of course gonna do it from my watch because it's 2018 and we're not animals right and then only at that point when I verified will I be you know ask for my password in this particular case since I'm out of the network I'm still doing that final step so I'm going to you know request that password to be typed in and let's see if I still remember Heidi's password here and it draws me into of the port all right so what if I did when it comes to the office what kind of experience would you expect there so if I log out here and I've sign-off from my VPN while I'm added when that VPN connection is no longer there then what I can do is I will reconnect here let's see my VPN should be off and if I type in heidi username here and sign in and click next now that I'm in the office network it simply automatically sent they push verify to me I'll accept it here approve and I'm in with the password list for because now I'm in a protected environment in a networked with a recognized device with a recognized you know Authenticator and I am allowed in and I have no full access to all the assets I'm not the limited access I had from that anonymous network I'm glad for that thank Sammy I actually realize that's what the small pocket was for - for collecting lint David yeah so so hopefully you know at this point what I'm hoping that everyone sees is strong authentication capability so a mixture of different Authenticator experiences from low assurance to high assurance modes with a mixture of usability security and deployability trade-offs context being able to understand more about the user and the risk associated with at authentication and then the ability to respond to that context with a mixture of those authenticators to make sure that you're securely authenticating that user so the story there is that we're gonna we're gonna instead of always having the most heinous security experience where you have to do step-up authentication in every single time with multiple factors or whatever it might be maybe you you know reduce that security requirement in certain scenarios and you step up that security requirement in other scenarios so it's only the high assurance factors and with that in mind you know really the goal is to enable and more secure end-user experiences at the end of the day so this is around modern password list authentication is really the goal for this and at the end of the day sure you can use things like security questions or a hard token for a password list experience but where we really want to converge from an architectural standpoint is moving that password list authentication experience to more of a crypto based experience ideally out-of-band or in a non fishable way so in this world you know octa is the service provider we've got some sort of a public key associated with the Authenticator that's been registered for the user that challenge experience is sent online down to that Authenticator where the user is doing a presence or a biometric based verification to unlock that key to sign a piece of data and to send it back so fundamentally that is our octopus verify architecture it's using a cryptographic based verification out-of-band from the web channel so that it can't be fished that's that's phyto u2f tokens and that's web authentication the end of the day so we want to help our customers move to that through a combination of supporting the standards supporting the diversity of factor experiences and then supporting the policy framework and then lastly and just to kind of bring it home I think at the end of the day security is also about end-user enablement as well and so we've made some investments over the last year just to step up the amount of visibility that end-users have into their the security profile so things like new device notifications as I mentioned previously we're actually we now fingerprint all the devices that authenticate to the octa service and when those fingerprints are set up we can do new device notifications based on the fingerprint to the end user letting them know that an authentication has taken place from a new device I think at the end of the day when I think about security you can always authenticate users as strongly as possible but the reality is that there's layers of you know security is a defense-in-depth strategy and it's the same in the cloud that it that it has been traditionally on prem and so you have to think about how do I put the controls in place but then how do I also empower end-users to make smarter security decisions and give them the visibility that they need to take control of their security experiences another feature that we recently launched in beta that I'm also very excited about is credential reset and enrollment notifications so on the MFA side if excuse me if a user enrolls in a new MFA factor or if an MFA factors reset the end user gets a notification on this again just giving visibility to the end user that a change in their profile has taken place that might affect their security posture and if that looks out of the ordinary for whatever particular reason they can they can be unable to contact the IT Help Desk and help them figure out if that but if that is a security issue so with that I want to say thank you that's our security roadmap for today and we've got about four minutes for Q&A if folks have any questions oh we got a question in the back there do we have a microphone runner microphone yeah we were runner sure yep yeah so the question was around password reset so that's tied up in in secure enrollment in recovery so I didn't touch on it at that level of depth but basically we are rationalizing our recovery experiences with our enrollment experiences making sure that you can use those same set of factors for proofing yourself before enrollment as well as proving yourself for recovery whether that's account recovery or a password recovery and so the idea is at the end of the day a password is just another type of credential it's not a special credential and so as we think about moving the password list experiences really the question becomes how do we strongly identity proof this user to make sure they enroll how do we identity proof this user to allow them to reset or recover their factors and so those are two different policy frameworks and the way that you can drive those experiences in and identify the users through the mix of the contextual features that I talked about the authentication capabilities that we supports all of our different authenticators or a custom authentication experience if you want a home roll your own identity proofing experience or integrate with a third party for identity proofing yep yeah absolutely in fact we support Windows solo integration today for step-up authentication so you can use octa you can use facial recognition for step-up authentication I don't understand like yeah yeah kind of quick yeah couldn't quite hear the full context of course sorry yeah Michael I have a microphone whoa I have a microphone now um anyway is there a way to look at using Windows 10 to have octa sit in front of Windows 10 to use second factor authentication without using Windows hello so logging into Windows 10 you mean yeah not today I mean I would I'd be happy to kind of take it offline with you and explore the use case afterwards I think you know Windows then solve some interesting problems just strongly authenticating the user to the device and be interesting to kind of take that offline great any other questions yeah microphone coming yeah yeah do you guys have any plans to let administrators view what's in the user behavior what's being stored you know we've talked about it I'd be happy to explore that use case with you as well offline where it's primarily come up is around things like devices so I know that there's a strong desire to expose the list of devices that are associated with a user's profile and frankly from an end-user security perspective I'm also excited about that just allowing end-users when they log into the octave portal to see the devices associated with their account and you know revoke go off tokens and things like that from those devices so that's definitely something we've talked about outside of devices I'm not sure if if you have a use case there but I'd be happy to explore that with you afterwards and today the administrator can reset that behavior if they you know so show need to do right yet one more time for one more question well microphone coming you have a that's coming do you have anything for integrating in with third-party products to take feeds from device reputation and stuff yeah so it did for fraud yeah it kind of depends on how you want to do it so our fingerprinting solution is actually extracted at the API level so if you want to bring kind of bring your own fingerprinting technology you can actually do that with octave today that's exposed in our developer website I think you might be asking a slightly different question though which is how do you call out to maybe third-party sort of device attestation services to do some sort of an interrogation there and there's kind of there's two different patterns and approaches for that one way you could look at doing it is with the custom factor experience at the end of the day that doesn't necessarily imply some sort of a user interaction so you could redirect that user to that experience maybe check whether the endpoint software is on that that device and then redirect the user is successfully authenticated in that experience so it's a way to sort of a test to you know the security posture of the device separately if your use cases more around I want to just pull in signals from like a third party device feed or something like that and use that for step up off that's a little bit more in in extensibility capability we've been building out from a platform perspective and and I think there's a session on that in Achtung although I'm not understand sure what it is but keyword is extensibility alright I think we're out of time but happy to take some questions afterwards folks earnest said thanks everyone thank you

Info

Channel: Okta

Views: 1,265

Rating: 4.6363635 out of 5

Keywords:

Id: WchEmEvV5OA

Channel Id: undefined

Length: 44min 21sec (2661 seconds)

Published: Thu May 24 2018