6 hours Ago By What Okta’s failures say about the future of identity security in 2025
Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More 2025 needs to be the year identity providers go all in on improving every aspect of software quality and security, including red teaming while making their apps more transparent and getting objective about results beyond standards. Anthropic , OpenAI and other leading AI companies have taken red teaming to a new level, revolutionizing their release processes for the better.
Identity providers, including Okta , need to follow their lead and do the same. While Okta is one of the first identity management vendors to sign up for CISA’s Secure by Design pledge, they’re still struggling to get authentication right. Okta’s recent advisory told customers that user names of 52 characters could be combined with stored cache keys, bypassing the need to provide a password to log in.
Okta recommends that customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23, 2024, to October 30, 2024. Okta points to its best-in-class record for the adoption of multi-factor authentication (MFA) among both users and administrators of Workforce Identity Cloud. That’s table stakes to protect customers today and a given to compete in this market.
Google Cloud announced mandatory multi-factor authentication (MFA) for all users by 2025. Microsoft has also made MFA required for Azure starting in October of this year. “Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence,” according to a recent blog post .
Okta is getting results with CISA’s Secure by Design It’s commendable that so many identity management vendors have signed the CISA Secure by Design Pledge. Okta signed in May of this year, committing to the initiative’s seven security goals . While Okta continues to make progress, challenges persist.
Pursuing standards while attempting to ship new apps and platform components is challenging. More problematic still is keeping a diverse, fast-moving series of DevOps, software engineering, QA, red teams, product management and marketers all coordinated and focused on the launch. Okta’s security missteps show the need for more robust vulnerability management While every identity management provider has had its share of attacks, intrusions and breaches to deal with, it’s interesting to see how Okta is using them as fuel to re-invent itself using CISA’s Secure by Design framework.
Okta’s missteps make a strong case for expanding their vulnerability management initiatives, taking the red teaming lessons learned from Anthropic, OpenAI and other AI providers and applying them to identity management. Recent incidents Okta has experienced include: Red-teaming strategies for future-proofing identity security Okta and other identity management providers need to consider how they can improve red teaming independent of any standard. An enterprise software company shouldn’t need a standard to excel at red teaming, vulnerability management or integrating security across its system development lifecycles (SDLCs).
Okta and other identity management vendors can improve their security posture by taking the red teaming lessons learned from Anthropic and OpenAI below and strengthening their security posture in the process: Deliberately create more continuous, human-machine collaboration when it comes to testing: Anthropic’s blend of human expertise with AI-driven red teaming uncovers hidden risks. By simulating varied attack scenarios in real-time, Okta can proactively identify and address vulnerabilities earlier in the product lifecycle. Commit to excel at adaptive identity testing: OpenAI’s use of sophisticated identity verification methods like voice authentication and multimodal cross-validation for detecting deepfakes could inspire Okta to adopt similar testing mechanisms.
Adding an adaptive identity testing methodology could also help Okta defend itself against increasingly advanced identity spoofing threats. Prioritizing specific domains for red teaming keeps testing more focused : Anthropic’s targeted testing in specialized areas demonstrates the value of domain-specific red teaming. Okta could benefit from assigning dedicated teams to high-risk areas, such as third-party integrations and customer support, where nuanced security gaps may otherwise go undetected.
More automated attack simulations are needed to stress-test identity management platforms. OpenAI’s GPT-4o model uses automated adversarial attacks to contin ually pressure-test its defenses. Okta could implement similar automated scenarios, enabling rapid detection and response to new vulnerabilities, especially in its IPSIE framework.
Commit to more real-time threat intelligence integration : Anthropic’s real-time knowledge sharing within red teams strengthens their responsiveness. Okta can embed real-time intelligence feedback loops into its red-teaming processes, ensuring that evolving threat data immediately informs defenses and accelerates response to emerging risks. Why 2025 will challenge identity security like never before Adversaries are relentless in their efforts to add new, automated weapons to their arsenals, and every enterprise is struggling to keep up.
With identities being the primary target of the majority of breaches, identity management providers must face the challenges head-on and step up security across every aspect of their products. That needs to include integrating security into their SDLC and helping DevOps teams become familiar with security so it’s not an afterthought that’s rushed through immediately before release. CISA’s Secure by Design initiative is invaluable for every cybersecurity provider, and that’s especially the case for identity management vendors.
Okta’s experiences with Secure by Design helped them find gaps in vulnerability management, logging and monitoring. But Okta shouldn’t stop there. They need to go all in on a renewed, more intense focus on red teaming, taking the lessons learned from Anthropic and OpenAI.
Improving the accuracy, latency and quality of data through red teaming is the fuel any software company needs to create a culture of continuous improvement. CISA’s Secure by Design is just the starting point, not the destination. Identity management vendors going into 2025 need to see standards for what they are: valuable frameworks for guiding continuous improvement.
Having an experienced, solid red team function that can catch errors before they ship and simulate aggressive attacks from increasingly skilled and well-funded adversaries is among the most potent weapons in an identity management provider’s arsenal. Red teaming is core to staying competitive while having a fighting chance to stay at parity with adversaries. Writer’s note: Special thanks to Taryn Plumb for her collaboration and contributions to gathering insights and data.
Stay in the know! Get the latest news in your inbox daily By subscribing, you agree to VentureBeat's Terms of Service. Thanks for subscribing. Check out more VB newsletters here .
An error occured..
