All right, so first I'll just quickly introduce myself. I am senior principal technical program manager at Okta. Been with Okta for over five years. I lead diverse portfolio and help our internal team Okta and Okta with launching innovating products like Okta Identity Engine, Okta FastPass, and then also help with endpoint security, enhancing our security posture and getting our products to the federal standards. So I'm based in San Francisco, California and just a little bit about myself, I'm very active, outdoorsy. I like to play tennis pickleball, so you'll find me on the courts a lot.
So for today I would like to kind of kick off with our journey to passwordless and fishing resistance. So we, over the last couple years our product team engineering, I am team spent, spent time on getting us to fully passwordless and phishing resistant for to move Okta to fully password passwordless and phishing resistant posture for accessing all the Okta resources and eventually for the entire identity lifecycle.
So, but before we get into that, I'd just like to talk a little bit more and explore why we wanted to get rid of the passwords. So the first one here is passwords are weak and reusable. So an average person will find reusing their password on the multiple websites and then that will create a great risk because with one password is getting compromised, then you trust to have your other accounts being compromised. Password manager might help with this, but it's been proven that it's not something that people are following in the security insecurity industry.
So to say more this too are going hand in hand. Passwords are also fishable and breakable, whether it is through the social engineering or just the brute force attack end of the story, you could break passwords and get an unlock your accounts. So that's not a great story. And then next one here, passwords are very expensive to maintain. The consumers well might find might spend time managing their passwords and compromise make this effort more expensive. So to call the service desk to reset your password is not free.
So on average the Beyond ID server survey conducted last year shows that it costs roughly $480 per employee per year. So it is quite an expense for every corporate. And then lastly, passwords are just tiring. Password fatigue is real and then, and that feeds into each of other points. So you tire the passwords, you keep reusing them on every website. So it's just not a great story.
So ever since we've announced the OIE Okta Identity engine at the Octane in 2021, we've been working towards bringing this capability internally at Okta for our own tenant and organization.
So Okta FastPass is a sort of a killer app for our OIE Okta identity engine rollout and justifiably so Okta FastPass allowed will log in you into resources from any device where FastPass is configured without prompting for any passwords. So to deliver this, we looked at some of the common problems for adopting passwords. So you could see some of the call outs here, but just the most common form that being implemented or being considered by the businesses is something that employee employees are such as the biometrics, your voice, your facial recognition or fingerprint.
So that's roughly 50% of the businesses and then 30% are using considered to use something that employees have as such as a Fido authentication, phone, security keys, et cetera. And then roughly 40% of the responders actually said that Fido two was an important aspect of their passwordless adoption.
So on the next slide, I just wanna kind of before we, I start sharing the learnings from our internal experience. I just wanted to kind of pause and show this success story in Okta. This is our pre rollout and this is pulled from the SIS log so I can talk through the metrics a little bit.
The password as a factor was at 33% you could see Okta Verify push was at 46% Fido and then this is in 2021, right after the rollout you could see that FastPass, the sign nons is at 56% and now password is a factor is down to 16%. So it was a huge success for us at that time. So I just wanna kind of show that. And on the next slide, just talking in the kind of numbers, some of the metrics. So we are handling roughly 20,000 authentication per day and every user enrolled two factors or two devices.
So you could see the number of devices being enrolled and users enrolled.
So, and then just a little bit background here, how we got there. So we've launched Okta Identity Engine and FastPass, our go live was in August. Then in October we kind of launched another enablement communication and remind all our internal employees that they need to enroll. And then this is what we've seen is that there is a still significant percentage of employees are still not enrolled into FastPass. So we decided to look into ways how we can launched the focus group surveys, interviews with our employees.
So we selected a subset of employees that we wanted to interview and understand why they didn't enroll. It's such a cool feature. So this is the questions we've asked our interviewers such as, have you heard of this? Do you know what are the benefits? Did you know that OK Verify is already installed on your laptop? Why didn't you enroll? So we've interviewed a subset of people and this is some of the learnings from those interviews. So this is sort of an educational campaign that launched a lot of the feedback was about enrollments.
So the, it's not just the fast pass when you introduce in a new factor end, users have to go through some learning process. So it's not clear how to enroll. I wasn't sure about the instructions. I I thought it's gonna be, it's gonna take me a long time. So I just didn't wanna do it.
The next learnings here, which really surprised me is the social proof. That's sort of a key. So a lot of people kind of leaning on their like colleagues to see like, well, well if my manager tells me that I have to enroll, I'll do it.
It would help if someone from my team enrolls and tells me about their experience, I would do it too. Or yeah, this is just essentially the social proof is the key.
So, and then the next one here is which the feedback we've heard from almost every interviewer. It comes when it comes to communication, the more the better. So communicate often reach out through every channel possible. Your all hands, your manager meetings, surveys, email communication, slack updates, your employees need to hear this because they're just getting a lot of information and might not trickle down to everyone.
So there are some of the key learnings and then the other feedback that we've heard, there's just some of the other call outs that we've heard that how do I know that I'm using FAFSAs?
Well, it'll be obvious. It will be on your dashboard and some of the gotchas and aha moments from people that then eventually enrolled. We've reinterviewed them and the feedback was, I'm loving it. It saves me a lot of time. This is great experience. So on the next slide, since I'm at the program manager, I wanted to share the comprehensive roadmap and how it kind of, how we started with this.
So you could see we started this journey in 2020 when we did the first pilot for the password list. And that was essentially implementing the 5 0 2 and then Okta Verify OTP or push. So there was just a sub for subset of users for low risk gaps. We implemented this pilot, then we've did the gap analysis. We looked at the Okta identity engine, which enables you to launch the Okta FastPass. We looked at the features that are not supported and such as factor sequencing, SAML 1.0 OMM, Okta Mobile Management.
And then we obtained our stakeholder approval to discontinue those features and go full speed with Okta identity platform. So we also engage early and often with the, our product team to enter interest in betas. So data device authenticator was one of the betas we've engaged and we helped to provide some feedback to the product on how they designed this and helped them to go early access and general access in December of 2020. So the next one here is just numerous situation of testing.
We procured our own pre-prod tenant for Okta org so that we can connect all the critical applications and we could do a thorough testing in those pre-prod environment. So this is kind of like one-to-one production like tenant. So you could see that we've, we've done lots of testing, we've, and we had a rollback roll forward plan. We've created a number of knowledge base articles for our support team so they can help recover users. We've upgraded our pre-pro tenant and make sure that everything is working, critical apps are accessible. And then we've launched the final rollout in August.
So that's kind of a very comprehensive plan getting there.
So in the next section, I just wanna say that to deliver this great user end user experience, not just saving us time and money, but it's also a huge kind of a component of our passwordless journey. We've calculated the business value for our, for our business. To share a little bit more about this business values, we looked at the three key value drivers such as the cost reduction, increasing productivity because you're gonna spend less time on entering your password, more time on doing your work.
And then the biggest one in my opinion is the enhanced security you just reduction of the credentials related attacks. So those are kind of a key value drivers and here is just a little bit more description on how we've derived them and then calculated.
So this is kind of how we've translated those key value drivers into the savings. So if you think, if you think about the cost savings and you get down to the seconds, the traditional authentication will take you on average nine seconds. And then the password list will be roughly three seconds.
And then if you think about the cost per employee per year, count all the authentication events and then aggregate that. So those are the savings. So I think it's quite a good savings. And then we also thought about how can we get more actionable metrics for our customers and for ourselves. 'cause we are very data-driven company, so we needed metrics that could actually show us percentage or resources are behind the phishing resistant policies, total authentication events. So the product came up with the solution which our customers would need to in order to replicate our own experience.
And this is kind of our phishing resistance score for our internal org, Okta and Okta. So this has been pulled recently.
So just to kind of like segue into the next section. So this OIE platform allowed us to layer on top additional things and additional security features. So we have done some additional projects to harden our Okta Okta tenant. And then the next one here is like all these capabilities that we could layer on top of each other to provide a zero trust architecture that emphasizes the defense in depth.
So device trust, the CrowdStrike, your trust score, behavior detection that I'll talk a little bit more. So we'll start with the behavior detection. This one is just some various data points of the user authentication context. Things like IP addresses, impossible travel and yeah, and essentially just looks for like out, out of order events for the users. And then how does it work? So for users that whose behavior signals fall within the historical baseline, there will be nothing.
Nothing will happen. It will be just standard seamless authentication.
And then for logically, for the users that do not fall within the standard, you would see that authentication was the higher assurance level for for those users that are outside of their typical behavior profile. So you will be not denied in the access, but you will be prompted for the higher assurance factor. So that's how the behavior detection policies work in Okta. And then the next one here is just also to show that, yeah, essentially that's I think the same slide. So the next one here, of course authentication of the user is not, is only one part of the puzzle for zero for zero trust.
So we also looked at the device trust and device trust gives us flexibility to, to look at the resources depending upon the device status as UN managed, registered with Okta Verify or managed using the certificate.
And also we could layer on top the signals from the EDR software like CrowdStrike.
So again, how does it work? How, how did we implement this? So using the device trust with managed device, we've, we would authenticate the device using end users to access the Okta resources. So that works. And then again, if device is unmanaged or there's no certificate on the device, the authentication will be denied. And the same way if device is not registered with Okta Verify or fpa, the access will be also denied. So we also implemented the CrowdStrike ZTA score, which is give you ability to see the real time signals and make the real time access decisions.
I'm just gonna check the time and I think we almost at time. So again, if the signal is lower 60, then the axis will be denied.
If the, the, the endpoint is healthy and patched to the latest os, the score will be higher and you will be, you will be able to access your resources.
And just to close it out, the phishing resistant app policies were also applied as the last step here. We challenged ourself to remove passwords and we successfully did that by the end of 2023. So you could see that the percentage of password was stuck at 2% and eventually by end of 2023 we identified the gap on the unmanaged iOS and removed that gap. So the last one here is just for the new employee onboarding and of recovery flow.
We've introduced the hardware tokens to get to the fully end-to-end phishing resistance. So that's the end of the presentation. Sorry for taking an extra minute. I don't know if we'll have time for q and a, but thanks for your attention. First
Of all, thank you very much.
Yeah, we are a bit over time. So there, there are a few questions. I will hand them over to you and if you have questions to Lena, Lana, please just reach out to her after this session. Thank you.
But the, the learnings that you presented and the insights that you present, present and the honest and and real experience that you have made are really interesting and just good to know for those who are still on that journey. Thank you very much LA Thank
You.
