1. In the first hack, if anything Okta over communicated about the hack: the hack ended up being much less severe than they originally said was possible, and, from a security perspective, the hack didn't really have any negative consequences to customers.
2. Your second 2 links are about the same issue, which was a breach of their GitHub accounts. Again, it's worrisome that someone could find vulnerabilities in their source code, but no customer data was compromised.
You're free to think what you want about the severity of these hacks (I personally think they're low), but I don't see how you could have problems with "how they dealt with it each time". They seemed to have textbook correct incident response communications - what else would you suggest they had done?
Also, given the nature of the breaches, I don't think they point to severe security culture problems at the company (in contrast, for example, to the LastPass and Solarwinds breaches, which showed all the signs of clown show security culture IMO).
Identity providers are competing with passkeys now in non business/org settings, and there is only so much idp/SSO enterprise marketshare to fight over. Similar story with password managers (yes, yes, there will always be a market for folks who want to backup their passkeys to sovereign storage with a passkey manager, and that capability should exist, but your average user won’t; they’ll rely on iCloud/Google/Chrome storage, governance, and access controls for key material).
The fact that they think the personal market is lucrative enough to break into while already being successful in the enterprise makes me sad that 1Password couldn’t be content with the personal market and instead decided it was enterprise or bust, much to the chagrin of many of their personal client base.
I believe that 1Password has grown significantly in the professional space, and that Okta likely sees this trend as a competitive threat.
If there's anything that Apple's upending of Blackberry taught us, it's that all you need is a one key decision maker in an entire organization to say "wait, why can't I use {product x}?" for that organization to slowly move away from the entrenched enterprise solution. The fact that Okta is joining the consumer space validates 1Password's decision to creep into the enterprise market.
I mean, it's certainly strange to "love" an IDP. Though I will say, going from a more corporate controlled Azure AD + ping + on prem legacy crap, working somewhere that gets everything funneling through okta has been SO much better
Does anyone love it? I buy it but it seems really expensive and not a fantastic UX. It’s weird how expensive and complicated this is and I’m surprised there aren’t more competitors because the cost should be rather low.
I use Okta and Microsoft’s Intune/MFA/SSO and I’m not sure which is better. Neither is that great I think.
The think that’s annoying to me is the price is $2-11/user/month for sso. That’s crazy considering orgs have thousands of employees that need this and previous self-hosted solutions from CA and others were $50-100k for unlimited accounts.
And this seems like an odd place per user and it costs similar amounts to support 1000 users as 5000.
What's more annoying is that every sass product on the planet puts sso behind their most expensive "ask us the price" tier.
Microsoft should be including sso in their baseline/free products and all enterprise and wanna-be-enterprise software should put it in its base tier.
Logon security shouldn't be tucked behind a paywall or held hostage as a bonus quadruple the price feature, because breaches have wide reaching consequences past just the company attacked going down.
I would like to add that configuring Azure AD as an SSO provider is available to any tenant free. Some of the functionality like Conditional Access does require paid licensing.
I’m aware of a number of businesses that are very happily using Keycloak in production. Not everyone can, although there is RH SSO if you need the support contract.
Then there’s Gluu, Authelia, and many others depending on your needs.
Sadly even with basic security we can’t seem to fully trust our own vendors to have our interests at heart.
SSO without conditional access is almost worse. It's like Microsoft knows it COULD stop attackers from entering the account, but wont unless you pay them more. To give them credit, at least MFAuthenticator apps are free (and now basically forced.)
We mitigate this by disabling non-phishing resistant MFA factors in the tenant. You can achieve some of the Conditional Access MFA controls using the new MFA options and user groups, but it is not the same and doing it well requires a little more planning and sanity checking.
They killed the apple watch app which has made my life more difficult. App switching, getting out my phone when previously I just needed to look at my wrist.
All in all this is a pass from me because I don't believe Okta are focused enough on their end users. Too guided by the critical mass that exists at the top.
This must be a joke or a hoax. The ChatGPT blurb made me question it, but the whois data sealed the deal. It's registered on GoDaddy with a private registrant.
This is not unusual even for very large companies anymore. Somehow GoDaddy actually gets this sort of business from companies that -should- know better than to do business with GoDaddy.
One thing I find odd about Okta’s marketing when it comes to Passkeys and passwordless is that they market it as “Biometrics”. I guess this makes sense since the prompts that users see on most platforms are for FaceID/TouchID/Windows Hello. But I, as someone who understands how Passkeys are implemented on these platforms, knows that Okta doesn’t actually deal with any biometrics, nor would I ever want them to.
Perfect. Can't wait to bring it our next family CAB meeting. Ever since going enterprise my families profits are through the roof. ITIL literally has saved my personal relationships and finances. I realized both of my children were net loss figures for the next 18 years so we dropped them off at the fire station and our P&L numbers have never been better.
Also turns out being PiMP certified has brought in tons of money, which my wife was against until I showed her the statements from our Call Girls (1099 contractors)
I would be looking for round 2 investors in your AI synthesised book "how to sell your kids pre- IPO" and also discussing ISO27001 certification on those dance poles. Are they conformant? Are they made onshore or are you ignoring supply chain risk here?
What about the front yard basketball hoop. You should be renting that from a local startup, not capitalising all that plastic.
No links found on okta.com. Altough of course signing up on personal.okta.com is safe (as safe as it is to use okta anyways, they don't have the best track record exactly)
Why even have oktapersonal.com? personal.okta.com is almost the same number of characters - just an extra period. Is it purely for SEO purposes? Is it because a company can be named “personal”, and so personal.okta.com would be taken by an enterprise customer?
Naming conventions like this really trigger my phishy senses.
Haha not bad. I can see people for whom this is useful. For my part, though, I prefer Bitwarden because it's got open source implementations. And with passkey coming to it, I should be set.
Cool tool but a bit late, I think. Maybe if it were earlier before the M1 when 1Password and LastPass would freeze the page.
I don't think I love anything from work, much the same way most McDonalds fry cooks probably aren't particularly smitten with the spatula at their restaurant's grill. But of all the things I regularly interact with at work, Okta is probably the thing I love the least since it signs me out 8+ times a day and bounces me through an unholy amount of redirections every time I click on a "chiclet" all in the name of "security".
If I was still having to track my time, I would genuinely have to log a ticket each day for dealing with Okta with the amount of time it sucks up.
I didn’t set it up yet, so can’t tell. Is this just a personal version of their janky “sso” where they store passwords and their chrome add-in pastes it into the login prompt?
IE, not actual Okta-proper that’s IDP doing SAML or OIDC auth?
I went through the login flow for this and I think this is an architecture similar to 1Password and not just their legacy paste a PW thing. It prompts for a password as well as a second “PIN” for the encryption part
As a security and privacy pro, my own social login footprint is too small to use it, but making products for security people is useless anyway. Someone had to solve this, and a secure portal for app logins also owns the channel. The main risk is that vendors will see their flows being interdicted and sabotage the app, that's how good this is, imo.
I want all my apps in one place, right where they are, on my desktop computer. I don't have an i9 with 64gb of ram, 2 2gb ssds, and a 16gb graphics card so I can cloud compute.
https://www.theverge.com/2022/4/20/23034360/okta-lapsus-hack...
https://techcrunch.com/2022/12/22/okta-breach-source-code-gi...
https://www.malwarebytes.com/blog/news/2023/01/okta-breached...