Fortify Okta Against Session Token Compromise

The Okta breach disclosed earlier this month served as another reminder of the devastating impact of a session token compromise. This technique is nothing new—it’s something we’ve been discussing for years in our content and with a dedicated blog series. 

Nevertheless, we continue to see session token compromise leveraged in security incidents at several leading enterprises to grant adversaries access that is often discreet and extremely persistent.

We have already discussed the importance of robust SaaS threat detections in minimizing attacker dwell time and enabling rapid response to token compromise. The purpose of this blog is to explore proactive security measures that bolster Okta environments against this technique. These same principles can be applied to other identity providers (IdPs) to help combat session token compromise in any environment.

A Four-Part Approach

We can delineate the security challenges surrounding identity providers and single sign-on (SSO) solutions into four focus areas, which we can consider the four pillars of a robust security posture. At a high level, they are:

1. Strengthen Authentication Policies: User authentication policies are critical to the security of the IdP/SSO environment. Rigorous and consistent application of multi-factor authentication (MFA) coupled with constrained session lifetimes will serve as a strong first line of defense against unauthorized access.

2. Fortify Self-Recovery: Self-recovery mechanisms are indispensable, especially when users are inadvertently locked out. However, poorly configured self-recovery mechanisms can serve as open doors for attackers. Employing the strongest possible MFA within trusted network ranges helps ensure a secure self-recovery process.

3. Weaponize End Users: By enabling new device and suspicious activity notifications for end users and ensuring their active status, you effectively transform users into vigilant sentinels. This proactive measure significantly improves the likelihood and speed of threat detection and response.

4. Limit Privileged Access: An often overlooked—but crucial—measure is the management of privileged access within the IdP/SSO environment. Stringent control of privileged users is imperative considering that they have the potential to undermine every aforementioned security measure.

Strengthen Authentication Policies

Authentication policies form the crux of security in your Okta environment, providing a structured framework to manage user access. These should be meticulously reviewed and strengthened to ensure they align with your organization’s security requirements.

Authentication policies are orchestrated in a priority sequence that you define. They are applied based on specific conditions for users accessing the platform. The intricacy arises from the interplay between these policies, user groups, and various risk indicators. The objective is to enforce more stringent or frequent MFA in high-risk scenarios while allowing leniency in safer or mitigated risk situations—for example, differentiating between accesses from a corporate IP range and an organization proxy on another continent.

Common Misconfiguration

Disentangling authentication policies can be challenging, meaning that misconfigurations are all too common. Here are some frequently observed configuration issues and recommendations on how to rectify them.

• Default Policy Oversight: The default policy, which is immutable and always ranks lowest in priority, does not have MFA applied. Configuring your policies is imperative so that no login ever reaches this default backstop. Reviewing audit logs will provide insights into how many logins are hitting this default policy and whether there are cases where a user could be authenticated through it.
• Session Lifetime Management: Policies lacking a defined maximum session lifetime or having excessively long session lifetimes can be problematic. While there’s no one-size-fits-all for session lifetime duration, reducing dwell time from months to hours significantly impedes an attacker’s ability to exploit the system.
• Enforcing Strong MFA: Ensure that robust MFA, such as WebAuthn or Okta Verify, is mandated on every rule. This fortifies the authentication process, making it arduous for attackers to bypass.
• Factor Prompt Mode Configuration: MFA prompt modes often skip verification on recognized devices. Given the potential exploitation of long-lived tokens discussed in the previous blog, it’s crucial to reapply MFA regularly, even on previously authenticated devices.

Fortify Self-Recovery Mechanisms

Poorly configured account recovery mechanisms invite abuse by adversaries—we’ve even covered a similar topic as it relates to Azure AD. Because this is a relatively infrequent user operation, teams can enforce more stringent security measures without significantly impacting user convenience.

Okta recommends executing account recovery within a secured network zone—again, typically a corporate IP range or VPN—and requiring strong user authentication. These two measures together substantially mitigate the risk otherwise associated with this process.

Common Misconfiguration

Misconfigurations in account recovery can inadvertently diminish the security threshold, opening up your environment to unauthorized access. Here are some frequently observed configuration issues and recommendations on how to rectify them.

• Lack of Network Zone Restrictions: Initiating account recovery outside secured network zones can invite potential exploit. It is prudent to confine these operations to secured network zones such as a corporate IP range or VPN.
• Insufficient Verification Mechanisms: Policies solely requiring SMS or voice call verification without additional layers are inherently less secure. These methods are susceptible to interception and social engineering techniques. Similarly, security questions are weak secondary options because answers can be guessed or acquired. Opt for more robust methods to bolster security during account recovery.

Enable End User Notifications

When you enable security notifications, you empower your user base and improve the overall security posture of your Okta environment. These notification emails enable users to more promptly identify and report suspicious activities associated with their accounts. It’s an approach that dovetails with the broader cultural paradigm shift towards a mentality where “everyone is in security,” fostering a collaborative effort to maintain a secure digital ecosystem.

Common Misconfiguration

Misconfigured notification policies ultimately lead to missed opportunities in the earliest stages of potential threat detection. Here are some frequently observed configuration issues and recommendations on how to rectify them.

• Disabling Security Notifications: Security notifications can alert users of various important actions taken on their accounts: MFA enrollment, password changes, and other generic suspicious activities. It’s advisable to enable all of these notifications to keep users informed and encourage rapid reporting.
• Lack of User Education: Notifications are helpful, but educating your users how to interpret and respond to these alerts is just as important. A comprehensive user education program can significantly enhance the effectiveness of security notifications in identifying and mitigating potential threats.

Limit Privileged Access

The overprovisioning of highly privileged accounts is a pervasive issue across SaaS platforms which introduces a tremendous amount of security risks. Managing and constraining this privilege is always important, but especially so for the organizational identity provider. Super administrative access demands extremely stringent control as the pinnacle of user privilege within Okta.

Align administrative permissions closely with the functional roles of individuals in an effort to uphold the principle of least privilege and bolster your security.

Common Misconfiguration

Poor management of privilege in Okta has the potential to undermine every other proactive security measure put in place. Here are some frequently observed configuration issues and recommendations on how to rectify them.

• Excessive Super Administrative Access: Super administrative access embodies the zenith of privilege within Okta, necessitating tight control. Even for large entities, limiting the number of super administrators to a bare minimum—ideally less than five—is prudent to mitigate the risks associated with privileged access abuse.
• Misalignment of Administrative Roles: It’s often observed that the allocation of administrative roles isn’t well-aligned with the functional responsibilities of individuals. Ensuring a precise alignment between administrative roles, job functions, and required access levels is crucial for minimizing the potential for privilege misuse.
• Dedicated Authentication Policies for Administrators: Implementing dedicated authentication policies for administrators that mandate regular re-authentication through strong MFA is crucial. Ideally, forcing administrative users through a trusted network zone further enhances security measures, ensuring a robust defense against potential compromises.

Conclusion

The purpose of the four pillars is to serve as a foundation for a stronger Okta security posture, limiting the likelihood and potential impact of a cyber-attack. The initiative to fortify these proactive defenses should be supported with continuous verification that these configurations remain strong, and that gaps don’t reappear discreetly later on. Moreover, these measures should be complemented with robust threat detections because, despite every proactive effort, sophisticated adversaries will continue to look for a way to bypass them.

The Obsidian Security platform helps organizations with both sides of this equation. SaaS governance and risk management capabilities enable security teams to enforce every secure configuration highlighted in this blog and more while simultaneously monitoring to ensure these secure settings don’t drift over time. Our team provides posture recommendations out of the box informed by our expert research, industry benchmarks, and leading compliance frameworks.

At the same time, we complement these proactive capabilities with cutting-edge threat detections designed for SaaS. Only Obsidian can detect session token compromise in a matter of minutes, preventing attackers from dwelling in your SaaS environment and executing more damaging long-term campaigns.

You can learn more about Obsidian’s approach to detecting and mitigating SaaS session token compromise here.