惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Apple Machine Learning Research
Apple Machine Learning Research
AWS News Blog
AWS News Blog
Google DeepMind News
Google DeepMind News
U
Unit 42
博客园 - 叶小钗
博客园 - 聂微东
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
aimingoo的专栏
aimingoo的专栏
D
DataBreaches.Net
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
美团技术团队
The Cloudflare Blog
M
MIT News - Artificial intelligence
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
S
Schneier on Security
C
Check Point Blog
Project Zero
Project Zero
The Hacker News
The Hacker News
Scott Helme
Scott Helme
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cisco Talos Blog
Cisco Talos Blog
P
Privacy International News Feed
SecWiki News
SecWiki News
Latest news
Latest news
MongoDB | Blog
MongoDB | Blog
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
H
Help Net Security
TaoSecurity Blog
TaoSecurity Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Last Week in AI
Last Week in AI
P
Privacy & Cybersecurity Law Blog
Forbes - Security
Forbes - Security
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
PCI Perspectives
PCI Perspectives
大猫的无限游戏
大猫的无限游戏
T
Troy Hunt's Blog
H
Hacker News: Front Page
Vercel News
Vercel News

Okta Security RSS Feed

Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Account Recovery, without Password Resets
Brett Winterford · 2025-12-10 · via Okta Security RSS Feed

One of the joys of passwordless authentication is the huge reduction in help desk tickets arising from users who have forgotten or otherwise can’t access their passwords.

Organizations that have embraced Okta FastPass report lower costs of support after the initial hurdle of getting their users enrolled. They also report greater confidence in their security posture, knowing that access to sensitive resources requires a tight coupling of a user and their device.

Those organizations that continue to rely on passwords as a primary authenticator still have good options for securing sign-on events: they can lock down sign-ins using device trust and multifactor authentication, among other options. 

In any case, strong sign-in policies shift the threat actor’s available options to the next weakest point in the user lifecycle: enrollment and account recovery. Threat actors continue to enjoy success when impersonating users in calls to IT helpdesks, requesting the service desk staff perform a password reset (typically followed by follow-up calls to reset other MFA factors).

These attacks are often successful in organizations with outsourced service desks. Outsourced IT service desk professionals are highly incentivized around how responsive they are to client needs. In doing so they are highly vulnerable to a skilled social engineer who impersonates a senior figure in a client organization. While it’s the subject of some debate, it’s the client organization’s duty to set up outsourced service desk professionals with the guardrails they need to withstand social engineering attacks. Those guardrails need to include strong identity verification processes, which present challenges in a remote and extended workforce.  To help solve this problem, Okta has partnered with multiple identity verification providers and specialists in recovery workflows to prove the identity of an inbound caller. 

Once a user’s identity is verified, the next question is how to provide support desk personnel with a safe way to recover access for the user. That’s where Temporary Access Codes (TACs) come in very handy. 

Constraining account recovery

Even if you have sufficiently verified the identity of an inbound caller, there are residual risks associated with service desk professionals being asked to create and share temporary passwords. A temporary password can be shared or intercepted and abused prior to use and rotation by the legitimate account holder.

Ideally, any use of temporary credentials is constrained to an expected context. A TAC, unlike a temporary password, is a time-bound secret that is classed in Okta as an authenticator, which means it can be subject to authentication policies. Administrators can decide, for example, which users are able to be issued a TAC, how long the TAC is valid for use, and from what location and device a TAC can be used. 

TACs bring an important account recovery option to passwordless environments, where a misplaced security key or other possession factor may temporarily prevent a user from accessing their resources. 

But the utility of a TAC doesn’t end there. Any Okta workforce customer now has the option  to disable the issuing of temporary passwords or resetting of passwords and MFA factors from front-line helpdesk roles. 

I’ve previously recommended the use of custom admin roles to create helpdesk roles that constrain the ability of service desk professionals to reset the factors of privileged users like administrators. Now there’s an opportunity to go one step further and create custom admin roles that can’t reset passwords or factors.

The custom helpdesk role would need, at minimum:

  • The ability to read user information (“View Users and their Details”)

  • The ability to add a user to a specific group of users that are eligible for assigning Temporary Access Codes (“Edit user’s group membership,” “View groups and their details,” “Manage group membership”)

  • The ability to issue Temporary Access Codes (“Manage user's Temporary Access Code”)

More crucially, the custom helpdesk role would no longer need to be assigned permissions to:

  • Reset a user’s password (“Reset users' passwords”)

  • Assign a temporary password to a user (“Set users' temporary password”)

  • Reset the MFA factors of a user (“Reset users' authenticators”)

  • Enroll a user in MFA (“Enroll users' authenticators”)

Once an inbound caller has verified their identity, a TAC issued to a user for account recovery could be constrained to be:

  • Only valid for a few minutes

  • Only used in conjunction with another previously enrolled factor (“authenticator method chaining”)

  • Only used from a specific set of locations

  • Only used from a registered or managed device

For guidance on how to use TACs as an account recovery factor, please refer to the following help desk article.

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.