• Password Encryption
• Security

Okta uses a strong encryption level to hash passwords using bcrypt with a high number of iterations. The customer data, including username and password, is segmented by the context of the org parameter. At the time of org creation, a programmatic org-level key store is generated, consisting of a 2048-bit RSA public/private key pair and a 256-bit symmetric key.

The 2048-bit RSA key pair is used to encrypt and sign SAML assertions that the Okta service performs to downstream SaaS applications on behalf of the customers, respectively, to their associated organization. The key pairs are used to generate the X.509 certificate for a specific org.

The symmetric key is used with an AES cipher to encrypt customer data at rest within the Okta service databases. Encryption strength is performed by the strongest cipher available for the length of the org symmetric key (i.e., a 256-bit symmetric key will result in AES-256 encryption).

Access to the Okta web application (https://<subdomain>.okta.com) is encrypted using TLS 1.2+. The org keys and X.509 certificate are protected by internally generated secret keys (referred to as master keys), which are stored in Okta's key management database.

Related References

More information is available at Okta's Security Trust Center.