Risky Bulletin Podcast Summary
Episode: Sponsored: Why threat actors hate Okta FastPass
Date: August 25, 2025
Host: Tom Muren (A)
Guest: Brett Winterford, VP of Threat Intelligence at Okta (B)
Episode Overview
This episode of Risky Bulletin explores why attackers fear Okta FastPass, focusing on the mechanisms behind Okta's passwordless authentication, how it raises the bar for phishing resistance, and the impact it's having on threat actors’ tactics. Host Tom Muren interviews Brett Winterford of Okta, shedding light on FastPass’s technical details, real-world incidents, and broader implications for organizational security strategy.
Key Discussion Points & Insights
What is Okta FastPass?
- Okta FastPass is a passwordless authentication method built into the Okta Verify app for mobile or desktop.
- “The Okta Verify application is the client that sits on your mobile device or your desktop that you authenticate with if you're an Okta customer.” (B, 01:05)
- Designed for usability (zero-click or one-gesture sign-in), deployability, and security.
How Does FastPass Work?
- Enrollment creates a cryptographic key pair:
- Private key stays on the user's device, public key goes to Okta.
- Each login is a cryptographic challenge/response, proving possession of the private key.
- “You are able to prove possession of that secret key without having to reveal the key.” (B, 01:56)
- Phishing resistance:
- FastPass can check that the origin (domain) of a sign-in request matches the original enrollment. If it doesn’t:
- The sign-in fails
- The user is warned
- A system log event is generated for security teams
- “If it isn't the same origin ... the sign in fails and Okta will ... create a system log event in the back end for Okta administrators or security teams to act on.” (B, 02:36)
- FastPass can check that the origin (domain) of a sign-in request matches the original enrollment. If it doesn’t:
Why Threat Actors Hate FastPass
- Phishing-resistant authentication breaks common attack patterns.
- Attackers explicitly warn users in phishing campaigns not to sign in with FastPass, because:
- Their phishing pages cannot capture or relay the required device-bound cryptographic response.
- Failed attempts trigger alerts and expose attacker infrastructure to Okta’s detection teams.
- “They wanted to make sure ... none of the Targeted users used FastPass because ... it would also create a detection event that would not just result in burning their infrastructure ... but every day our team is warning dozens of organizations.” (B, 07:16)
Real-World Scenarios & Attack Adaptations
MFA Downgrade as an Attack Vector
- Attackers try to convince users to switch from phishing-resistant methods to weaker MFA (like SMS or OTP):
- “One of the ways they might try to do it is to convince the user to cancel out and downgrade ... to push or OTP sms, something like that.” (B, 04:40)
- Example: Adversary asking users to remove their physical security key “for the next seven hours.”
- Attackers adapt phishing campaigns to exploit any available non-resistant authentication methods.
Detection and Defensive Advantages
- When users attempt to authenticate via FastPass on attacker infrastructure, Okta detects this and issues alerts:
- “We can analyze the domain and the structure behind it ... that can be fed into our broader set of products so that ... there can be automated responses to that activity.” (B, 08:46)
- This forces attackers to keep changing their infrastructure (IP addresses, domains), increasing their costs.
Policy and Deployment Considerations
Why Not Always Enforce Phishing Resistance?
- Edge cases exist (e.g., certain onboarding with mobile device management or thick client apps) where phishing-resistant modes may cause friction or not work.
- “Usually there's a thick client application involved, there is some kind of enrollment activity ... you might have some examples where you don't require phishing resistance.” (B, 03:32)
The Importance of MFA Policy
- Okta recommends enforcing phishing resistance in sign-in policies and ensuring users have multiple resistant authenticators.
- “The key lesson ... enforce phishing resistance in policy. And you don't have to worry about it.” (B, 10:08)
- “Ensure ... a sufficient number of strong authenticators ... and enforcing phishing resistance in sign on policies for anything that matters.” (B, 11:19)
- Design help desk processes to verify identities securely (e.g., push authentication challenge as a verification before opening a help desk ticket).
Cost and Usability Tradeoffs
- FastPass is more economical and scalable than physical security keys.
- “It's just a software client to push out. It's far more economical and deployable ... without actually having to invest.” (B, 12:20)
- The main cost is change management and user communications.
Trends and Impact
Detection Rates and FastPass Adoption
- 1,000 notifications sent in last three months about phishing infrastructure targeting Okta customers—a 200% increase from last year.
- “We’ve sent 1,000 notifications over the last three months ... that is a 200% higher than this time a year ago.” (B, 12:48)
- Broader industry phishing campaign volume has plateaued, but Okta’s detection rate is increasing due to more customers deploying FastPass and more robust detection methods.
- “The more ... our customers are enrolling their users in Okta FastPass and applying phishing resistance in policy, the more signal that gets created, the more detections that then can protect other Okta customers.” (B, 13:45)
Notable Quotes & Memorable Moments
- “So basically it's relying on the power of public key cryptography.”
(Brett Winterford, 01:54) - “If it isn't the same origin as the time of enrollment, then the sign in fails and Okta will … create a system log event ... for Okta administrators or security teams to act on.”
(Brett Winterford, 02:36) - “One of the ways they might try to do it is to convince the user to cancel out and downgrade to an MFA factor that offers less resistance to phishing.”
(Brett Winterford, 04:40) - “For every one of those detections, there might be 15 other user interactions in Okta system log. And we can use that intelligence to feed the broader product and help other customers.”
(Brett Winterford, 07:56) - “Either way, we're imposing costs. And that's, that's the point.”
(Brett Winterford, 09:15) - “Enforce phishing resistance in policy. And you don't have to worry about it.”
(Brett Winterford, 10:08) - “The cost of change is the only cost. It's the change comms. It's convincing users to change from the method they're using today to a more secure method.”
(Brett Winterford, 12:34) - “...it appears that there is phishing infrastructure being configured to target your users. And that is a 200% higher than this time a year ago.”
(Brett Winterford, 12:48)
Timestamps for Key Segments
- 00:19 – What is Okta FastPass?
- 01:54 – Technical details: cryptographic foundation & phishing resistance
- 03:27 – Scenarios where phishing resistance isn’t enforced
- 04:26 – Why attackers avoid FastPass; MFA downgrade tactics
- 06:38 – Real-world attack example: Targeted phishing using rogue Slack tenants
- 08:28 – Detection events & infrastructure exposure
- 10:08 – Best practices: enforcing robust policy, help desk design
- 12:20 – Rolling out FastPass vs. hardware keys
- 12:48 – Detection trends & FastPass adoption impact
Episode Tone and Style
The conversation is pragmatic, technical, and down-to-earth, with a focus on practical security implications and organizational reality rather than hype. Brett Winterford provides concrete examples and actionable insights, while Tom Muren keeps the discussion accessible and grounded.
Summary Takeaway
Okta FastPass provides strong, scalable phishing resistance in a user-friendly form. Its widespread adoption is not only thwarting attacker tactics—forcing adversaries to invest more to circumvent controls—but also bolstering detection rates for the entire Okta customer community. The key to maximizing this benefit is robust policy enforcement and user enrollment, balanced with thoughtful help desk processes and change management. As organizations further embrace phishing-resistant authentication, attackers are forced to adapt—and the cost of attack continues to rise.