Credential phishing has many undesirable outcomes from lost business and data to reputational and legal harm. Small and medium-sized enterprises (SMEs) have responded by deploying the security controls that are readily available on their platforms like multi-factor authentication (MFA). Unfortunately, adversaries鈥 tactics and capabilities have shifted to where traditional MFA isn’t always enough. 鈥nd let’s face it, many people simply dislike using some MFAs.
NIST recognized this issue in its and cautioned, 鈥淎ll MFA processes using shared secrets are vulnerable to phishing attacks.鈥 The solution is modern authentication, or passwordless authentication, which is stronger and more convenient for users. Use cases can range from securing privileged assets and identities, or simply making it easier for everybody to get work done by eliminating the source of their frustrations with MFA.
黑料海角91入口 and Okta both provide modern authentication via 黑料海角91入口 Go鈩 and 鈩. They serve a similar purpose, but the implementations are very different. This has real-world impacts on the ease of deployments and determines what鈥檚 possible with each platform. 黑料海角91入口 also has integrated cross-OS device management while Okta doesn鈥檛. This article draws a comparison between these technologies that SMEs can use as a reference.
What Is Okta FastPass?
Okta FastPass is a passwordless authentication system that works with 翱办迟补鈥檚 single sign-on (SSO) and MFA products to access web apps. It requires Okta Verify, a mobile app, in order to function, and is available to Okta Identity Engine (OIE) subscribers. Existing customers must upgrade from the Classic Engine to the OIE authentication pipeline in order to use FastPass.
How Does Okta FastPass Work?
FastPass leverages public key infrastructure (PKI) to bind a set of keys to a device. It stores the private keys on a secure crypto-processor such as a Trusted Platform Module (TPM) or Apple鈥檚 Secure Enclave. A software keystore is used if a device doesn鈥檛 have the requisite hardware. Access requests are redirected from a service provider (SP) to Okta for authentication, and the challenge flows to the Okta Verify app for verification. The app collects various signals from the device and generates digitally signed output using the keystore(s). Okta servers check that payload against policies and the signature to make authentication decisions. The assertions are passed onto the SP if access is granted, or a designated policy action will be taken in response.
翱办迟补鈥檚 outlines all authentication flows.
Benefits and Challenges of Okta FastPass
Benefits
- Admins can use FastPass for passwordless authentication from any device or location into SSO apps.
- Okta FastPass works with several different IdP flows.
- There鈥檚 no dependency on Active Directory (AD).
- It鈥檚 possible to enforce conditional access to limit access to managed, compliant devices if third-party Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) has been configured for use with 翱办迟补鈥檚 platform.
- FastPass can be combined with device-level biometrics.
Challenges
- Okta lacks Unified Endpoint Management (UEM); third-party solutions such as 黑料海角91入口 must be configured to manage your devices.
- Okta Classic Engine users that have deployed Device Trust must carefully deactivate it in order to adopt FastPass after upgrading to OIE. There鈥檚 several caveats during the such as steps that are irreversible.
- Admins must confirm that enabling FastPass doesn’t disconnect remaining Device Trust users that remain enrolled in it to access managed apps. It should also still be possible to enroll new Okta Verify users. Users that are working from unmanaged devices should also be unaffected by these changes.
- Customers must set up a certificate authority (CA) to distribute management certificates to desktop devices. FastPass is a universal Okta feature, but only users that are registered with Okta Verify using devices with a certificate are authorized to use it.
- A mobile app is required for remote users. It can be deployed as a managed app, but that requires having a separate EMM/MDM solution.
Note: Okta doesn鈥檛 have Unified Endpoint Management (UEM). It relies on third-party MDM.
What Is 黑料海角91入口 Go?
黑料海角91入口 Go enables secure passwordless authentication to 黑料海角91入口-protected web resources on managed devices. Users can verify their identity using device authenticators with biometrics (Apple Touch ID and Windows Hello) versus password sign-in challenges. This improves security by simplifying the user login flow, reducing MFA fatigue, and minimizing password use. 黑料海角91入口 Go authentication also satisfies any User Portal MFA requirements.
黑料海角91入口 Go provides instant revocation when a user status changes from “active” to “suspended”. That’s possible because the platform has integrated identity and device management.
How Does 黑料海角91入口 Go Work?
黑料海角91入口 Go is built using open web standards. A device user refresh token (DURT) is generated by managed users on managed devices, which in turn grants access to the User Portal and SSO apps. 黑料海角91入口 Go supports macOS and Windows devices with specifications for Secure Enclave and Trusted Platform Module (TPM) 2.0.
Note: 黑料海角91入口 integrates cross-OS device management with IAM. The platform architecture allows for Go to be extended with more holistic policies and device settings over time.
The prerequisites mandate that a 黑料海角91入口 agent has to be installed and running on macOS and Windows devices. At present, a Google Chrome browser with the 黑料海角91入口 Go browser extension must be installed. Admins can deploy it manually or by using Google鈥檚 Chrome Browser Cloud Management (CBCM). Go is enabled through the centralized Admin Console without additional components. Enabling 黑料海角91入口 Go will automatically save it as an MFA factor. Users must configure biometrics on their devices to utilize them with 黑料海角91入口 Go.
End users register by clicking 鈥淟og in with 黑料海角91入口 Go.鈥 The registration flow is a traditional user console login using your organization鈥檚 emails and passwords. DURTs are granted every 12 hours, and then users are prompted to verify their identities by using device authentication.
黑料海角91入口 Go vs. Okta FastPass
黑料海角91入口 Go and Okta FastPass serve a similar purpose, but their architectures are different. Those differences influence how the solutions are deployed as well as product use cases. 黑料海角91入口鈥檚 platform has integrated UEM, while Okta customers must choose a UEM provider.
Let鈥檚 explore some of those differences.
Authentication
- 黑料海角91入口 Go uses a DURT to provide passwordless authentication that satisfies MFA requirements for SSO and the 黑料海角91入口 User Console. IAM and UEM are integrated, so only managed devices and users are ever registered to use Go. 黑料海角91入口 conditional access policies deploy device trust certificates to desktops.
- 翱办迟补鈥檚 FastPass is using components including Okta OIE, and Okta Verify. It works in unison with external UEM to deliver a full solution.
- Okta allows for PIV/CAC cards as a step-up MFA for privileged resources. Using a DURT does not satisfy step-up MFA requirements at this time. However, 黑料海角91入口 integrates with device authenticators such as Windows Hello for added security.
黑料海角91入口 has the ability for admins to lockout the whole computer, which effectively locks unauthorized users out of all browsers as well as native apps. Okta’s Universal logout can terminate browser sessions, but is reliant on SSO apps that support it. Okta lacks native endpoint management capabilities.
Deployment
- 黑料海角91入口 Go is deployed using a browser extension on managed devices. It鈥檚 turned on using the Admin Console.
- Okta admins must deploy Okta Verify apps, configure a CA, and integrate with an external UEM vendor.
- 黑料海角91入口 Go will be launched on Linux, pending customer need.
- Okta FastPass supports Android and Apple mobile devices. However, there are some prerequisites.
- FastPass requires a Safari extension in order to work without prompting users. Your MDM provider must support Apple鈥檚 Extensible Single Sign-On framework to define extensions for MFA.
Integrated Device Management
- UEM is external to Okta, whereas 黑料海角91入口 Go can enforce device management. Subsequently, Okta FastPass doesn’t require devices to be managed.
- The 黑料海角91入口 Go credential is secured and tied to login credentials for managed accounts on managed devices. Okta FastPass doesn鈥檛 work that way.
- Okta FastPass may be used for desktop single sign-on. 黑料海角91入口 Go is available exclusively for User Portal authentication at this time to protect apps and resources.
Licensing
- Customers can get started with 黑料海角91入口 Go either by subscribing to the full platform or by selecting 黑料海角91入口’s device management and SSO SKUs.
- There is a $1,500 annual contract minimum . There may be additional costs to deploy and manage on-premise components. Okta doesn鈥檛 provide UEM, which must be obtained separately for a secure device state.
Access 黑料海角91入口鈥檚 pricing comparison tool and TCO calculator.
User Experience
- Using a DURT creates a better end user experience with fewer interactive password authentications to access managed resources.
- Both solutions offer configurable session settings.
Get Started With 黑料海角91入口 Go
Admins can move more efficiently to secure privileged access from desktops to assets and eliminate MFA fatigue by using 黑料海角91入口 Go. 黑料海角91入口鈥檚 cross-OS device management makes it possible to restrict access to only managed devices that meet your security baselines.
If you want to learn more about 黑料海角91入口 Go just drop us a note or get started with a .
