Hi! I have a fun one for you all. As SIM jacking becomes more and more prevalent, we'd like to ...


Badge

Hi! I have a fun one for you all. As SIM jacking becomes more and more prevalent, we'd like to switch from SMS being the only required form of MFA to disabling it altogether. The majority of our users already use Okta Verify and strongly prefer it, but SMS is still a somewhat necessary fallback for when people get new phones, since Okta Verify doesn't transfer to a new device. Device Trust isn't an option as we don't use Jamf Pro or Intune. We do have Adaptive MFA and could stack SMS and Security Questions if need be, but I'd rather not have either allowed, to be honest.

Are any of you in the same boat? What do you do when someone gets a new phone?



🗨 Link to Slack thread

16 replies

Userlevel 1
Badge +2

We’re mostly Macs here and we’ve just rolled out TouchID MFA (leverages FIOD2 Webauthn) as a secondary factor after Okta Verify.

Userlevel 1
Badge +2

we also distribute and require Yubikeys for some of the more critical roles.

Badge

If its just for switching phones, (which i hope dont happen too much), id write an article on how to selfservice and switch over okta verify from 1 to another device. its simple, and most of the time users dont wipe their old phones, so as soon as that happens let them bring both devices or go through a article/video explaining how to switch the MFA.

Badge

or have google auth be a fall back (the code could even be in their Okta verify). and use that to log in, perhaps with some more stricter requirements.

Badge +3

We are Okta Verify only here with SMS disabled. When I order someone a new phone I shoot them a short FAQ on what to do before they wipe the old phone (backup, open authenticator apps and move 2FA tokens one by one, etc) so they should be able to self-serve moving Okta Verify. In the event they don’t read the instructions I just have to unlink their 2FA manually and they have to set up again the next time they log into Okta

Badge

I suppose I should have also clarified that we don't provide company phones. And @henkjanvries, once upon a time, people not erasing their old phones was reality for us, however in the last couple years, phone upgrades have changed to the point where basically no one keeps their old phones. They go in to a store over the weekend, trade in their phone for a new one, and then aren't able to log in to Okta when they come back to work on Monday. Google Auth is the same issue, because that information is lost with their old phone and doesn't restore from a backup.

Badge

@mlynch are you using TouchID on top of Okta Verify? I'd considered doing FIDO but I still have a couple users on machines without Touch ID so I can't unfortunately require it until I get them upgraded.

Badge

In that case touch id or even simple Fido2 yubikeys will suffice as backup

Badge

https://www.amazon.com/Yubico-Security-Key-USB-Authentication/dp/B07BYSB7FK/ref=sr_1_5?dchild=1&keywords=yubikey&qid=1597076805&sr=8-5

Userlevel 1
Badge +2

We simply offer TouchID as a backup MFA option for users. for fido2/Webauthn, it also supports windows hello if you have PC users, but we also have Linux users w/ no biometric option, so they are out of luck.

Was hoping to enable factor sequencing, but can't do that because of a bug with Chromebooks.

Badge

yeah, that sucks.. from what i know, its really Google. Okta has tried, but from some notes i read last year, Okta gave up and wont chase it to fix it, unless demand increases.

Badge

This is a useful conversation! This week we deployed Okta to about 1,300 non-employee affiliate users. These nonprofit staff don’t work for us, and we certainly don’t provide them company-issued phones. Thus, our influence is limited. Still, we set Okta Verify as required unless they raised a valid objection such as having an old phone in which it would not install. Alternative factors are Google Authenticator and SMS. Eventually, I would like to disable SMS. I’m not sure when, but pleased that we are well-positioned to do so at some point. We’re not done with deployment, about half of our user population hasn’t validated their accounts. But in the first half, we had very few objections to installing and using the Okta Verify app.

Badge

Nice! It's good to have that required right off the bat. When I was looking through the usage report, pretty much anyone in our org that had Okta Verify used it almost exclusively. It was a pretty easy conversation. We did end up announcing some changes to the company, in case anyone has been following along and is interested.

We went with a sort of tiered approach. We'll start by requiring Okta Verify and Google Authenticator, then two weeks later, disable SMS as an option. I do wish that Okta called the Google Authenticator factor type "Authenticator App" like other platforms do, because we're actively telling people to use Authy instead, since Authy can be backed up and restored to a new phone. That takes care of the only reason we had SMS, so that users aren't stuck if they need to erase or get a new phone.

Badge

actually not a bad Idea, technically you could add the google auth to okta verify as an extra MFA, because okta verify can also have multiple and other services added. I use my Okta verify for a range of different tools

Badge

That’s helpful info about Authy’s backup options, @mitchell.smith. The main reason some of our power users like having a second authenticator is because our employees all have 1Password. You can use 1Password to generate and auto-fill one-time passcodes right in the browser, so you don’t have to touch your phone at all. A minority of users have touchID available to them.

Userlevel 1
Badge +2

I know this has been discussed before, but I’ll share that I’ve always been super against storing MFA one-time passcodes in 1Password. Just goes against the whole idea of “something you know plus something you have”.

Reply