Okta FastPass Brings Passwordless Logins to Reality

This year, the vision for passwordless authentication gets real as Okta rolls out FastPass context-driven login technology. IDN explores how it works with Okta’s Joe Diamond.

Tags: 2FA, authentication., cloud, Okta, passwordless, policy, security,

Joe Diamond, Okta
Joe Diamond
vp, product marketing

"Okta is creating more seamless and secure login experiences for our customers by offering completely passwordless authentication."

Architecture Summit
Enterprise-Grade Integration Across Cloud and On-Premise
Online Conference

Okta is making passwordless security a reality.  


Okta previewed FastPass its context-driven passwordless logins for users last month during its Oktane 2020 user conference.  The debut comes after years of R&D and product feature previews.


This new capability provides a true passwordless experience -- across devices, applications, and operating systems, according to Okta execs. In turn, this means employees can have their devices while presenting much less exposure to credentials-based threats, according to Okta execs.


IDN spoke with Joe Diamond, Okta’s vice president of product marketing to learn more about how Okta’s passwordless authentication works, and how the company expects enterprises to deploy it. 


“Creating more seamless and secure login experiences for our customers is at our core and taking this one step further by offering completely passwordless login experiences is something we’ve been exploring for a while. The introduction and launch of Okta Platform Services was key to making passwordless authentication possible,” he said. 


Okta FastPass works to assure identity access across all enterprise resources – apps, devices and all popular operating systems – Windows, MacOS, iOS and Android. With FastPass, the idea is that users don’t sign into anything – devices apps, files web. Instead, users use a biometric login feature -- such as TouchID, FaceID, WindowsHello or fingerprint on Android, according to Diamond.

Okta chief product officer Diya Jolly added insight on how FastPass impacts employees and work environments.  


“Going passwordless not only makes employees happy, but it can make them more secure by relying on stronger factors like biometrics. Okta FastPass eliminates the need for a password regardless of an employee’s device choice and highlights how Okta’s independent identity platform can deliver a truly differentiated experience for our customers. This is made possible through a significant upgrade to the Okta Identity Cloud, marrying user identity to device identity for the first time, and opening the door for incredible usability and security possibilities.”


Other key benefits of Okta FastPass include:

Modernize infrastructure: Reduce dependency on on-premLDAP directories, including Active Directory in favor of Universal Directory and empower administrators to choose any cloud-based Enterprise Mobility Management provider for device management.


Efficient Policy Enforcement and Usability: Companies can set consistent policies and experiences across all major platforms, reducing confusion among user bases and giving users device choice as well as consistent onboarding and login experiences across all devices.


Security: Admins can use passwordless to enhance security through the combination of Okta FastPass and Device Trust. This combo delivers passwordless login experiences to managed, compliant devices and default authentication implemented through biometric capabilities, rather than only by user-specific certifications.

With such a broad range of benefits, Diamond outlined the underpinnings of Okta FastPass to IDN. 

“The underpinning technologies of Okta’s Platform Services - Okta Devices, Okta Directories, and Okta Identity Engine - are combined to drive the new passwordless feature we’re calling FastPass,” Diamond said. 


How the Okta Verify Lightweight App Unlocks the Power of Passwordless 

Working with these technologies is Okta Verify, a lightweight app that sits on the device itself, Diamond added.

Okta Verify “enables the Okta Identity Cloud to ingest device-level signals while also creating a vendor-agnostic integration layer that can evaluate and collect signals from endpoint detection and response solutions,” he said.

Diamond also shared some of the core technical and operational details. 

Okta Verify is a factor used to verify an end user's identity. After an end user installs the app on their primary device (iTunes and Google Play), they can verify their identity by approving a push notification or by entering a one-time code. 


The enhancements to Okta Verify announced at Oktane20 bring updates to the existing Okta Verify app on iOS and Android, as well as a new Okta Verify app for Windows and MacOS. Once the device is registered, a strong bond is created in the Okta Identity Cloud between the user and the device, opening the door to a passwordless experience. 


Once verified, Okta’s FastPass allows users to engage in a passwordless experience across devices and platforms, including iOS, iPadOS, Android, macOS, and Windows, and gain access to all user apps. 

Thanks to the Okta Verify apps, passwordless can be provisioned by IT or downloaded directly by end users on managed or unmanaged devices.  


Diamond also noted that Okta announced it is working with the VMware Carbon Black Cloud cloud-native endpoint protection platform, as well as Tanium, and Crowdstrike, to enhance Okta’s device and endpoint security posture. “These technologies are making passwordless a reality. Now, end users can skip the password altogether and use biometrics to gain access across any operating system,” he said. 


In that context, Diamond also shared details of the actual establishment of connections and access. Once end users register their device via the Okta Verify application, a strong binding is created in the Okta Identity Cloud between the user and the device. 


When accessing an Okta-managed application via a browser, desktop application, or a native mobile application, end users are not prompted for a password. This means users get an end-to-end passwordless login experience when using devices that support biometrics, from unlocking the device, to registering the device to Okta with no password prompt, to subsequent logins on the same device. 

How Admins Retain Strong Controls and Otherwise Benefit from Passwordless 

Optionally, administrators can create fine-grained policies that combine Okta Device Trust, endpoint security integrations, and other adaptive policies with Okta FastPass to deliver secure, passwordless experiences for only managed, compliant devices.


Further, for admins that may be skeptical about passwordless, Diamond told IDN that they retain strong controls. 

“Administrators have master access, visibility and control via a dashboard that includes an overview of users and associated devices, devices registered to the organization, and policy controls (you can think of this as a device directory). 


“Administrators can set policies for FastPass from the administrative dashboard as well. For example, administrators can set policies so that only devices managed by a device management solution get a passwordless experience, or that only logins from known networks get a passwordless experience. Using Okta’s policy framework, administrators can require MFA for unknown devices, new logins, unmanaged devices, etc. 


“Using the Devices page in the administrations dashboard, administrators can remotely sign-out users if needed. This also includes deactivation and deletion of devices' capabilities.” 

In this environment, we asked Diamond about what happens to “tokens” in the world of passwordless with Okta FastPass. “Anytime a user logs into Okta, including the passwordless experience powered by FastPass, a token is generated and sessions vary depending on administrator preferences,” he said. 


“Regarding 2FA [two-factor authentication], due to the strong user and device binding created in Okta once a device is registered, the Okta Verify app can be considered a sector factor in scenarios where administrators deploy Okta Verify to managed devices. They can then create policies that require the device to be managed in order to access Okta,” Diamond added. 


Okta FastPass will be available in Early Access in Q4 2020 and can be purchased as part of Single Sign-on in the Okta Workforce Identity product line and One App and Enterprise Editions in the Okta Customer Identity product line.