Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Issuing Certificates to Corporate-Owned Devices with Okta

Large organizations face a common problem when it comes to authentication: managing a variety of credentials for an assortment of different web applications. Each different application requires a unique set of credentials for each individual that wants access to it. That means an exponentially increasing number of credentials to manage with each additional application your organization uses.

This can lead to a variety of security issues caused by people forgetting their passwords or losing their credentials. With 10 million attacks targeting usernames and passwords occur every day, IT departments can find themselves overwhelmed with support requests related to password resets and unable to concentrate on more pressing matters. Public-key encryption is the best option for authenticating users with digital x.509 certificates. SecureW2 offers a turnkey PKI that can automatically enroll corporate-owned devices managed by Jamf, Intune, and any other major MDM, check out what one of our customers has to say.

Okta has also developed a solution in the form of an SSO (Single Sign-On) application that enables the use of one set of credentials to access all integrated web applications. While Okta’s SSO is already a significant improvement, it can be taken to the next level by configuring managed devices with certificates.

How Does Okta Work?

A major flaw with credential-based networks is inextricably linked with human behavior: people always reuse passwords, or just refuse to devote energy to memorizing complex ones. Okta takes cybersecurity  a step in the right direction by eliminating the need for end-users to remember a number of different credentials. Instead, Okta accomplishes authentication to web apps through the use of PIV (Personal Identity Verification.) Each user in an organization is distributed a physical smart card configured with their specific information that is used for authentication. Often, the PIV is paired with a PIN number to instill multiple factors of authentication (MFA), which is much more secure.

Even though it removes a majority of passwords and replaces them with PIV and a PIN number, at the end of the day, Okta still relies on credentials. Credential-based authentication is still susceptible to over-the-air credential theft and is just not as secure as certificate based authentication.

Okta SSO With Certificates For Managed Devices

Certificates can contain a bevy of identifying information: MAC Address, email, username, and any other attribute that is contained in your Identity Provider. This gives IT high assurance that the user logging in with the device is who they say they are.

The process of manually enrolling certificates with Okta SSO to corporate-owned devices is complex and mistake-prone, especially if end users are left to complete configuration. Misconfigured devices are a common vector for cyberattacks, so it’s imperative to correctly configure devices the first time.

Luckily, SecureW2 offers a solution for corporate-owned devices on an Okta network. Many organizations with Okta integrate their Mobile Device Management software through our Gateway APIs so they can auto-enroll their managed devices for certificates. You can use our gateways to generate policies and settings that are sent to devices so they are automatically enrolled for 802.1x digital certificates.

SecureW2’s auto-enrollment feature makes things substantially easier for IT administrators who no longer need to stress about configuring managed devices. Click here for our Intune integration guide.

What About Okta FastPass?

Okta FastPass is an upcoming passwordless authentication solution that was announced in 2020 but has been delayed multiple times. What distinguishes FastPass from other SSO solutions is instead of using passwords for authentication, end users register their device via the Okta Verify app and can access other web apps through this combined with the biometric capabilities of their devices.

Even with this substantial improvement, FastPass still isn’t as secure as plain, old certificate-based passwordless authentication like the kind that SecureW2 already provides to Okta customers. Biometrics aren’t foolproof; people have replicated fingerprints using advanced technology and unlocked phones. The public key cryptography that serves as the foundation for digital certificates is universally acknowledged as the pinnacle of authentication technology.

Plus, it continues to be unclear when FastPass will be available, so it’s unwise to delay securing your network while you wait for it.

Make Okta More Secure With SecureW2

By adding certificate capability to Okta SSO, an organization is able to offer precision security while ameliorating user experience. Certificate-based authentication protects against over-the-air attacks and prevents a user or device’s identity from being stolen.

If you want to authenticate users to an 802.1X network, there is no better method than X.509 digital certificates. A certificate is tied to the identity of a user and device for the life of the certificate. The certificate cannot be transferred to another device, so the users on your network are always correctly identified.

Certificates are simply the best option for secure authentication, and they can be added for a surprisingly affordable cost. If you’re interested in adding SecureW2 #1 rated service, check out our pricing page.

 

Key Takeaways:
  • While Okta’s SSO is already a significant improvement, it can be taken to the next level by configuring managed devices with certificates. 
  • Credential-based authentication is still susceptible to over-the-air credential theft and is just not as secure as certificate based authentication.
  • SecureW2’s auto-enrollment feature makes things substantially easier for IT administrators
Tags: okta
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Issuing Certificates to Corporate-Owned Devices with Okta