Bypassing Okta’s Passwordless MFA: Technical Analysis and Detection

Bypassing Okta’s Passwordless MFA: Technical Analysis and Detection

Authentication security has always been a key area in the battle between defenders and attackers. Security vendors continuously implement new controls to safeguard authentication processes, but attackers soon discover methods to circumvent these measures, perpetuating a constant cycle of innovation and exploitation.

Multi-factor authentication (MFA) emerged as a robust solution to mitigate credential-stuffing attacks. It enhances security by requiring not only “something you know” (like a password) but also “something you have” (such as a user-bound device). Despite its promise, threat actors have developed social engineering techniques, such as MFA Fatigue, MFA Adversary-in-the-Middle, and SIM Swapping, to bypass these protections.

Recognizing the vulnerabilities of MFA, the industry introduced passwordless authentication. This method eliminates the need for users to remember passwords, thereby reducing the risk of credential theft. Instead of “something you know,” users authenticate using “something you are,” such as a fingerprint or facial recognition. However, like all security measures, passwordless authentication is not immune to attacks.

In this article, we will explore a newly identified technique to bypass Okta’s passwordless MFA solution. We will provide a detailed technical analysis of the method and a demonstration, as well as offer strategies for mitigation and detection.

What Is Okta FastPass? 

Okta FastPass is a cryptographic multi-factor authenticator that facilitates passwordless authentication for any SAML, OIDC, or WS-Fed applications within Okta. It functions as a device-bound authenticator and is compatible with various operating systems through the Okta Verify application.

Upon completion of the device enrollment, the user associated with the device gains a “Proof Of Possession” factor, commonly referred to as “something you have.”

Okta Verify also supports biometric verification via Face ID or fingerprint recognition. If the user enables this option, an additional set of public/private keys is generated from the hardware TPM, with the public key sent to Okta’s servers. This biometric verification feature is termed by Okta as a “User Verification” factor, or “something you are.”

When a user signs in to Okta using FastPass, the following authentication flow is initiated:

Okta’s Technical Spec: FastPass technical whitepaper

Okta FastPass is designed to be a phishing-resistant factor. This authentication method prevents access if an Adversary-in-the-Middle authentication flow (like Evilginx’s) is detected. The diagram below illustrates the authentication flow:

Okta’s Technical Spec: FastPass technical whitepaper

When Okta FastPass detects a phishing attempt, the authentication fails and a specific event is logged to Okta’s audit log.

Is Passwordless Bulletproof? 

The short answer is no. Most implementations of passwordless device-bound and biometric MFA solutions generate cryptographic keys stored in the TPM. With the right access and permissions, these keys can be misused.

In our example, we will demonstrate how Okta Verify on a compromised Windows machine can be bypassed, even if the user has configured optional biometric confirmation.

In The Wild Example – OktaTerrify

OktaTerrify is a security tool designed to demonstrate vulnerabilities in passwordless authentication solutions, specifically targeting Okta Verify and its FastPass feature.
Developed by CCob as part of a presentation for BSides Cymru 2024, this tool showcases how such systems can be exploited when an authenticator endpoint is compromised.

The Tool includes 2 Components:

• OktaTerrify: Designed to run on the attacker’s machine.
• OktaInk: Designed to run on the victim’s machine.

OktaTerrify intercepts the token exchange between the attacker’s machine and Okta’s backend, emulating Okta FastPass. It also generates the OktaInk command lines to execute.

OktaInk is executed on the victim’s machine to access the device-bound and user-verification factors, creating a valid FastPass token accepted by Okta’s backend.

Once successfully executed, OktaTerrify can generate FastPass authentication tokens accepted by Okta without the need for further interaction with the compromised machine. It mimics the tokens as if they were created on the victim’s machine. CCob provides a demonstration video of the tools’ execution.

Compromising an Okta Identity via a Compromised Endpoint

In the example, we leverage a compromised Windows endpoint with Okta FastPass configured and protected by Windows Hello (Windows’ passwordless solution). 

The compromised user in this example is protected both by an Okta password and Okta FastPass. 

This is a step-by-step execution of OktaTerrify:

1. Victim Side: Extract the Okta Verify database from the victim’s machine – A file called DataStore.db or OVStore.db (depends on the installed Okta Verify version) from this path: %LocalAppData%\Okta\OktaVerify.
   In addition, you will need the compromised user’s SID.
2. Victim Side: Execute OktaInk with the ‘DumpDBKey’ parameter to dump the DB key for the Okta Verify database from the first step.
   
3. Attacker Side: Execute OktaTerrify with the ‘backdoor’ flag to start the Okta authentication process. A new browser window is opened that expects FastPass authentication.
   
   After the attacker clicks on Sign in with Okta FastPass, OktaTerrify provides an OktaInk command line to execute on the victim’s machine.
   
4. Victim Side: Execute the command line that OktaTerrify provided. The output is a JWT that needs to be pasted to OktaTerrify.
   
5. Attacker Side: Paste the JWT from the previous step. The authentication is successful!
   

Optional steps to create a backdoor on the attacker’s machine:

6.  Attacker Side: After the successful authentication, OktaTerrify provides another OktaInk command line to extract the UserVerification factor key.
   
7.  Victim Side: Execute the command line and copy the output.
   
8. Attacker Side: Paste the value from the victim’s machine to gain persistent access to the Okta user while OktaTerrify runs in the background.
   

There Is a Limit to Conditional Access Configurations

As seen in the simulation, OktaTerrify successfully authenticated the attack even when the user had to provide a phishing-resistant, biometric, hardware-bound MFA. The attacker managed to fool Okta by presenting a device-bound MFA from a device that is not bound to the user.

Of course, there are security controls that can mitigate this like utilizing allow-list for Okta authentication, but they are hard to maintain.

The sad truth is that in the battle between defenders and attackers, the attackers will find a way to bypass the defenses. Every security control has its limits. Organizations must be aware of these limitations and have the ability to quickly detect the moment these limitations are exploited. 

This is where a solution like Rezonate’s Identity Threat Detection and Response (ITDR) can be leveraged. ITDR is a security approach that uses a scenario-based methodology to actively hunt for identity-related TTPs. As a second layer of real-time protection, an effective ITDR monitors the areas where traditional security controls fail.

Identity Threat Detection Strategies

Rezonate provides unprecedented levels of visibility into identity privileges, activity, and risk across the identity infrastructure. The platform can detect hundreds of attack scenarios, taking into consideration both known techniques as well as behavioral anomalies. For Rezonate customers, this threat model is automatically monitored and no action is required.

A potential Okta Verify Bypass Attack that is being detected by Rezonate will raise an alert with the title “Okta Passwordless MFA Bypass.”  

Screenshot: Rezonate ITDR

By Analyzing the Okta audit log

If you are new to the Okta audit log, look at our Okta threat-hunting guide. To Identify this behavior we can use two approaches:

1. Device-based: When enrolling a new device to Okta Verify, the device is registered in Okta’s backend. In addition, when a client authenticates using FastPass, some of the device metadata is appended to the request’s user agent. While this method  is not bullet-proof (since the client can manipulate user agents’ info), when hunting in logs we can use this data point as part of our anomaly detection process, searching for:
   1. Event type: user.authentication.auth_via_mfa
   2. Factor: SIGNED_NONCE (Okta’s internal representation for Okta FastPass authentication)
   3. Search for events where the audited user agent mismatches the user’s registered devices in Okta. In the following picture we can see that the user agent implies that the authentication was performed via a virtual Windows machine, which is not registered as a device owned by the authenticating user:
      
2. Behavioral Analysis approach- Hunt for an Okta FastPass authentication from an anomalous device and location. This is extremely hard since it may generate a high amount of false positives. To effectively detect this behavior, you must first create an activity baseline for each user to effectively determine where the users normally operate from and which devices they use.

Look for audit logs with the following characteristics:

1. Event type: user.authentication.auth_via_mfa
2. Factor: SIGNED_NONCE (Okta’s internal representation for Okta FastPass authentication)
3. Device type: Computer
4. Result: SUCCESS
5. The following picture shows a corresponding event from an anomalous location for the authenticating user (Chile)

An Added Layer of Identity Protection with Rezonate

Rezonate offers continuous monitoring of suspicious activity and active attempts to compromise identities or abuse their privileges to help you stay ahead of threats like these.  Rezonate works in real-time to detect and block attempts by internal and external malicious actors to take over user and machine identities. It works to stop threats of data exfiltration, crypto-locking, ransomware, and resource abuse before they escalate or achieve lateral movement. 

With identity threat detection and response capabilities, you can leverage Rezonate to monitor identity activities and adversarial changes in security controls, detecting threat models, anomalous behavior and while analyzing the blast radius of identities across the identity fabric to understand potential impact. Once detected, Rezonate moves quickly into response mode. By leveraging automated incident remediation workflows and predefined mitigation strategies, the platform responds before attackers can make their next move.  

To see how Rezonate can help detect and respond to MFA bypass across your Okta infrastructure, request a free demo.