• vin@lemmynsfw.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    If anyone here is a security expert, can you tell me if the following should have been done by default? Is it not a prevalent design practice?

    1. Binding Okta administrator session tokens based on network location (Complete)

    Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.

    • whoisearth
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Not infosec but work with them closely this makes sense. If my laptop gets stolen or compromised it’s more likely to occur outside of the office or a VPN session. If I have sessions established with admin I 100% want them to forcefully logout if my network changes. This would prevent a common scenario of bad actors from using a pre existing admin session.

        • whoisearth
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          1 year ago

          What negligence? If I read the policy change by Okta they’re ensuring that security of killing an admin session if the network changes.

          Edit - unless you mean not mandating the feature by default? As a SaaS solution Okta is set to provide the tools for any company to use which they’re doing. They provide the ability to enable tighter security but it’s not their problem to solve. They could argue successfully that a company can and should enable their own security provisions that may overlap.

          To use non-IT terms, Okta is providing a box of knives to a teacher. The expectation is the teacher ensures if the kids can use the knives or not. Okta can take out the sharpest knives if you ask them to but you have to ask.