Okta solutions for phishing resistance

Okta phishing resistance can protect your organization from identity-based attacks.

The traditional authentication model of username and password doesn't provide security against advanced phishing techniques. More secure factors like SMS, push, and one-time passwords are also at risk, because they rely on a user's ability to detect the phishing attempt.

Despite the prevalence and frequency of identity-based attacks, many organizations are slow to implement phishing-resistant authentication methods. You might view phishing-resistant methods as difficult to deploy or hard for your users to adopt, but many of the solutions are already available in your Okta org today.

Identity-based attacks

In an identity-based attack, bad actors phish a user's credentials and access their applications and resources.

  • Credential stuffing is an attack in which the stolen credentials from one organization are used to access another organization.

  • Email, phone, and SMS phishing messages usually contain a URL that points to a fake sign-in page where attackers can capture user credentials.

  • Bots can intercept temporary one-time passwords and use them with stolen credentials.

  • Man-in-the-middle attackers can intercept client requests and forward them to another server, capturing credentials and session cookies.

  • MFA push fatigue is an attack in which many push notifications are sent to a user's authentication app.

  • OAuth consent phishing is an attack in which users who are already signed in to an app are tricked into granting access to their data.

Identity-based attacks are different from endpoint attacks, in which malware or ransomware compromises a device or browser, or a network is hijacked. Okta doesn't protect against endpoint attacks.

Phishing resistance in your org

Okta solution for phishing resistance

Prepare your org

  1. Classify your apps by the level of security required.

    • Low-security apps: These apps don't have sensitive information and don't require privileged user permissions. Unauthorized access or disclosure of information would have minimal impact.

    • Medium-security apps: Unauthorized access or disclosure of information would have serious effects.

    • High-security apps: Unauthorized access or disclosure of information would be catastrophic.

  2. Ensure that all end users in your org are in correct groups and that admins are grouped by permission. See Manage groups.

  3. Notify users of the upcoming phishing-resistant requirements. See the Launch kit for Okta admins for communication templates.

Implement phishing resistance

  1. Enable and set up phishing-resistant authenticators. First, set up WebAuthn (FIDO 2) and Okta Verify. Then, Configure Okta FastPass.

  2. Configure authenticator enrollment policies for Okta FastPass and WebAuthn. See Create an authenticator enrollment policy.

  3. Configure phishing-resistant app sign-in policies for low, medium, and high-security apps. Select phishing-resistant authenticators where possible. See Create an app sign-in policy and Add an app sign-in policy rule.

  4. Assign apps to the phishing-resistant policies based on your security classification. See Assign apps to an app sign-in policy.

  5. Provide phishing resistance for new users the first time they access your apps. See Require phishing-resistant authentication with pre-enrolled YubiKey.

For the detailed procedure and user experience, see Phishing-resistant authentication.

Monitor your org

After you've rolled out phishing resistance, monitor your applications and authenticators. Refine your app sign-in policies if needed.

  • Monitor the System Log for phishing-resistant sign-in events. See System Log filters and search.

  • Establish communication channels where users can submit feedback, such as email or your internal ticketing system.

  • For tighter security, require phishing-resistant authentication when users enroll in additional authenticators. See Phishing-resistant authenticator enrollment.