How can I leverage Okta to completely eliminate passwords in my organization? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xaicqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Benjamin CampbellBenjamin Campbell 

How can I leverage Okta to completely eliminate passwords in my organization?

I realize this is a loaded question, but this is directly aimed at a long term goal:  dropping memorized / keyboard-driven passwords entirely.  Okta obviously helps to significantly reduce the number of passwords a typical enterprise user has to remember.  However, I don't yet see a path to eliminating the password entirely.  I'd rather use a combination of other factors to verify a user and then leverage Okta's integration / directory syncronization / etc capabilities for posting / SSO into other services that require authentication (password needed or not).

This is my first time posting on anything Okta, so apologies if this is a repeated topic.  However a lofty goal this is, it's certainly a valid one.  Time to kill the password.
Best Answer chosen by Benjamin Campbell
Benjamin MullenBenjamin Mullen
Hi Ben,

We're trying to do the same thing. From an Okta perspective, their IDP discovery features coming out appear to be leading down a path where a user can enter a username and then receive a push notification via Okta Verify, for example.

But that seems a good 6-9 months out at least. So we looked for a 3rd party IDP that we can then set Okta to trust to allow for optional no-password login in the meantime. We've settled on a company that uses QR code scanning via a mobile app to do just this. Happy to share details privately.

We're also piloting Windows Hello as we're predominantly a Windows 10 shop. So far it's being received very well, especially from our travelers. Hoping that Chrome gets on the Web AuthN bandwagon quickly so it's not just available in Edge.

For IT users and the like that need remote server access, we're looking at a purchase for a privileged access broker that would integrate with a credential vault to bridge that gap.

Even still, an Okta user needs his/her password to edit user settings, add MFA options, or log into the Okta Mobile app. Our MDM also relies on passwords for device registration. So we're not 100% there yet.

We've taken the approach of enabling no-password authentication wherever possible, hoping to close gaps as we go. I agree with you - we can't sit idle and wait, we need to start moving away from shared secrets for authentication.

Ben

All Answers

VictorVictor (Okta, Inc.) 
Hi Ben!

I truly understand your concern since traditional web authentication using credentials leave sensitive data and applications vulnerable to attacks.
Okta has greatly improved the process of removing the password usage. For example we support:

- Delegated Authentication for AD or other directories

- WS FED applications

- SAML applications

- Integrated Web App which logs the user automatically based on the check we do with AD

Unfortunately, we cannot completely eliminate passwords. I am refering to the apps we have implemented. We stronly recommend to setup an application using SAML instead of SWA (insert credentials), but not all of our apps support SAML or WS-Fed.  
Benjamin CampbellBenjamin Campbell
I am using SAML, JIT, and other functionality where possible.  That's all well and good, however I want the capability in the Okta product set to completely eliminate password as a factor. I believe passwords to be a weakness -- if the history of IT Security has shown us anything, that has been highlighted many times over.

There exist other authentication suites, not competing, but complementary, such as TransmitSecurity when used in conjunction with Okta could provide a path to a password-less environment.  It boils down to employing a risk engine to calculate the appropriate method(s) of authentication based on the specific auth request/situation.  Then, as a user fulfills said auth request(s), a red/green is sent back to the connected service via API.

I'd like to have the option to choose from a list of 6 or 8 auth methods and password could be one, just in most cases it isn't necessary, effective, or efficient for auth.  When a user is coming from a known device in a known Network and it fits their behavioral profile, would a single biometric be sufficient?  Most likely.  Now, does that user want to do something more admin-like?  Perhaps it meets a higher risk threshold and there is another factor required in step-up. 

I  realize what it is that I'm asking for... But I'm looking towards future/advanced functionality and would like to see these features on the horizon.
Benjamin MullenBenjamin Mullen
Hi Ben,

We're trying to do the same thing. From an Okta perspective, their IDP discovery features coming out appear to be leading down a path where a user can enter a username and then receive a push notification via Okta Verify, for example.

But that seems a good 6-9 months out at least. So we looked for a 3rd party IDP that we can then set Okta to trust to allow for optional no-password login in the meantime. We've settled on a company that uses QR code scanning via a mobile app to do just this. Happy to share details privately.

We're also piloting Windows Hello as we're predominantly a Windows 10 shop. So far it's being received very well, especially from our travelers. Hoping that Chrome gets on the Web AuthN bandwagon quickly so it's not just available in Edge.

For IT users and the like that need remote server access, we're looking at a purchase for a privileged access broker that would integrate with a credential vault to bridge that gap.

Even still, an Okta user needs his/her password to edit user settings, add MFA options, or log into the Okta Mobile app. Our MDM also relies on passwords for device registration. So we're not 100% there yet.

We've taken the approach of enabling no-password authentication wherever possible, hoping to close gaps as we go. I agree with you - we can't sit idle and wait, we need to start moving away from shared secrets for authentication.

Ben
This was selected as the best answer
Matt FlemingMatt Fleming
We're in the same boat. We're a Windows 10 and Chrome shop. Using Edge as a primary browser is out of the question due to a number of business constraints. Windows Hello is working great to get users onto machines but tying into Okta via is the next obstacle. Anything that can be done to get more steam behind this thread to put it on Okta's radar would be awesome. 
Benjamin MullenBenjamin Mullen
Aside, it looks like Google is finally building in Web AuthN support: https://lists.w3.org/Archives/Public/public-webauthn/2018Jan/0273.html

This may not enable Windows Hello automatically in Chrome, but it's a necessary first step. Fingers crossed that later this year with new Okta and Chrome functionality, Windows Hello may be a viable login possibility.