Hi, We are looking to improve the security of the Office 365 access (and any other critical cloud application) by leveraging certificate authentication as a second factor in addition to user's password. We are looking at two use cases: - two factor authentication with user's password and user's certificate - device validation (using device's certificate) in addition to user password authentication. The second scenario would allow us to not only control the identity of the user, but to control the device from which the connection has been made. For example, many companies have a policy that corporate services (including email with native client) can only be accessed from corporate workstations. IMHO, the best (and probably the only) way to enforce this policy is by validating a certificate on the client's device. This does not seem to be possible with OKTA, but is possible with ADFS (or even just with AAD, if you sync the password hashes). I would like to have your opinions on this. (I am posting on the Office 365 for the lack of better topic, but the actual issue is authentication methods suport and is common for any cloud application)
Thanks for your interest here. Just this past August at Oktane, our user conference, we announced a beta for our Device Trust feature which is just one facet of our Contextual Access Management capability. You can read more about it on this blog post (https://www.okta.com/blog/2016/08/contextual-access-management-innovating-across-sso-adaptive-mfa-and-mobility-management/) or this one (https://support.okta.com/help/blogdetail?id=a67F0000000TWJpIAO). Okta's Device Trust functionality works with certificates, whether distributed to the device with Okta Mobility Management or another third party. You can tell Okta which root(s) to look for and we will consider certificates issued by that to be trusted. Again, this functionality is in beta currently, but we're getting a lot of interest from our customers about it and look forward to fleshing out the feature set to meet the needs we're hearing about before bringing it to you more broadly.
The one tricky thing you'll need to consider is EAS, since there's no real way to do MFA with EAS. O365 recently announced support for certificate authentication to Exchange Online, so we're also going to be investing in certificate based EAS profiles that are pushed via OMM, if you're interested in that scenario. That way, you could more easily guarantee that a device is trusted, rather than the user just knew how to configure their password in an EAS profile.
I would also like to see the ability to block access to OKTA from Windows, MacOS, iOS and Android that do not have a certificate or allowed access to protect from unauthorized or unwanted access from BYO or threats. DUO has this service, but is a part of a very expensive package.
Conditional access can do the above, but Okta has to support device registration (Azure AD Hybrid) I'm working with their support to set this up/see if its possible. (Okta can do pass/fail based on criteria such as device trust, but i want to allow regardless and just limit what they can do baed on device. This requires a conditional access policy within Azure AD.
Good news to share if you didn't catch it at Oktane. Okta has Device Trust in EA for Windows and iOS and other platforms are moving into beta soon. For details, please contact your Okta representative. Here's a good talk from Oktane: https://youtu.be/CsJVxfw5KE0
It looks like OKTA doesn't want to operate functionally without the reliance of Active Directory (which we are trying to move away from). Most IdM providers are becoming full stack supported without AD (SaasPass, OneLogin, Duo, etc.). Duo Beyond offers exactly what Okta should already have in place, but is expensive. We are growing tired of this limitation. Device Trust needs to support all device operating systems without AD.