Okta introduces new security plan after October cyberattack
Add Axios as your preferred source to
see more of our stories on Google.
Okta CEO Todd McKinnon during a Bloomberg TV interview in April 2022. Photo: David Paul Morris/Bloomberg via Getty Images.
Okta has unveiled a suite of new security features following a wide-reaching cyberattack last fall.
Why it matters: Okta provides identity management tools, like multifactor authentication and single sign-on solutions, to a range of organizations, including government agencies, Fortune 500 companies and AI startups.
What's inside: As part of its new commitments, Okta will now require all administrators to implement multi-factor authentication for their accounts, and it has limited the Okta customer support portal to just the users who submitted a request.
- Other new tools include enhanced bot detection, stronger CAPTCHA challenges and a feature that will prevent legitimate users from being locked out of their accounts if a user logged into their account on an unknown device tries to boot them.
- The company is also committing $50 million to its Okta for Good Fund over the next five years to help nonprofits better secure their systems.
Driving the news: Okta shared details about its new security upgrades during its fourth quarter earnings call Wednesday.
- The company said it brought in $605 million in revenue last quarter, a 19% year-over-year increase.
What they're saying: "This has not been an easy thing to go through," McKinnon told Axios ahead of Wednesday's investor call. "But given that you can't go back and change the past, we feel good about the changes we've made and more importantly, the impact that we can have on the industry."
- "In the long run, it will make us stronger," he added.
Catch up quick: Hackers breached Okta's customer support service in October.
- During that incident, attackers were able to access the names, email addresses and other contact information for all Okta customer support users, including company administrators.
- Originally, the company estimated that fewer than 1% of its customers were affected.
The big picture: Okta has become a prime target in recent years for hackers looking for legitimate login credentials and session tokens that can help them break into other companies.
The intrigue: Okta implemented several new internal policies to boost cybersecurity.
- Employees are no longer using personal phones and can't access personal accounts, including non-work email accounts, from their Okta accounts, McKinnon said.
- And McKinnon said Okta leaders now face questions about cybersecurity and the ways they uphold that corporate value in their performance reviews.
Between the lines: After the October incident, McKinnon told Axios the company embarked on a 90-day sprint to both start security upgrades it had put on the back burner and to plan new projects.
- "Most of the time, it's not a question of not knowing what to do [to secure a company]," McKinnon said. "It's more of a question of competing priorities."
What's next: McKinnon said his team plans to "continuously" review its security plans to assess what's working, and the company is working on a handful of other new security projects this year.
- "There's no one time fix," he said.
