Okta Alert: Super Admin Privileges Under Threat

Okta Reveals IT Help Desks Exploited for Super Admin Access

In light of the recent revelations from Okta highlighting social engineering tactics aimed at super administrators in IT help desks, we decided to address the security measures recommended by Okta and explain how Secfense caters to each of these concerns. But before we do, here’s a quick recap of the story.

Okta Reveals IT Help Desks Exploited for Super Admin Access

Okta warned of social engineering attacks on U.S. IT service desks aiming to reset MFA for high-privileged users, especially super administrator accounts. Attackers, active between July 29 and August 19, compromised admin accounts to impersonate users within the targeted organization. They manipulated the Active Directory, used new IPs and devices, and set up a secondary Identity Provider to access applications via Single-Sign-On (SSO). Okta prepared a series of recommendations on how to avoid these types of attacks. Below, we list all of Okta’s recommendations and explain how you can introduce each of them in your organization with the use of Secfense User Access Security Broker.

Okta Alert Super Admin Privileges Under Threat

How to Prevent Helpdesk-Facilitated MFA Breaches

1. Enforce phishing-resistant authentication with FIDO2

FIDO2 is a modern, phishing-resistant authentication standard that uses cryptographic security to enable passwordless and multi-factor authentication. Secfense enables the deployment of FIDO2 WebAuthn across all applications. This means that all applications, including modern apps and legacy apps, customer-facing apps, and workforce apps, can be equipped with FIDO2 authentication in the same easy way that doesn’t require any coding and is highly scalable. For large organizations, this means finally grasping the entire organization’s security and coming up with unified user access policies shaped by the organization. That ensures application integrity and doesn’t require extensive IT resources or application downtime.

2. Require re-authentication for privileged access

Requiring re-authentication for privileged app access, including the Admin Console, adds an additional layer of security, ensuring that even if a session is hijacked or credentials are compromised, unauthorized users cannot access or make changes to critical systems without verifying their identity again, thereby significantly reducing the risk of breaches and unauthorized actions. Microauthorizations by Secfense ensure reauthentication for specific actions or resources. Microauthorizations aim to enhance security by requiring users to re-authenticate at various stages of their interaction with an application, ensuring that access to specific resources or actions is granted only after verifying the user’s identity. They offer protection against threats like active session attacks, real-time phishing, malware, automatic data exports, and uncontrolled data leakage. Furthermore, the ease of use is ensured by leveraging standards like FIDO2, allowing users to authenticate effortlessly using cryptographic keys or local authenticators.

3. Use strong authenticators for self-service recovery

In the case described by Okta, attackers aimed to exploit vulnerabilities to hijack privileged accounts. By using strong authenticators like FIDO2-based authentication, organizations can ensure that even if attackers attempt to exploit the recovery process, they will face a formidable barrier. Limiting this process to trusted networks further reduces the attack surface, ensuring that potential attackers can’t exploit the recovery process from untrusted or potentially malicious networks.

Secfense’s Full Site Protection, a User Access Security Broker component, distinguishes between trusted and untrusted networks, offering VPN-like benefits without the associated costs. When activated, users outside trusted networks must first activate a second authentication factor within a trusted location, like an office. This not only enhances login security but shields the entire application.

Okta Recommendations in Response to Super Admin Attacks

4. Streamline Remote Management and Monitoring (RMM)

Remote Management and Monitoring (RMM) tools are software solutions that allow IT professionals to manage and monitor IT systems remotely. These tools can be used to perform updates, detect issues, and generally ensure that systems are running smoothly, even if they’re not physically present at the location. The Okta case highlighted the vulnerabilities that can arise when attackers exploit IT service desks, aiming to trick them into resetting multi-factor authentication (MFA) for high-privileged users. If attackers can access RMM tools, they could have a direct line to manipulate, monitor, or even control IT systems remotely. This could give them the ability to further their attack, bypass security measures, or gather information to aid in their social engineering attempts.

While Secfense’s primary focus is on enhancing authentication security, its features can be applied to the context of RMM tools by adding FIDO2 authentication and microauthorizations on top of these tools, ensuring that remote management and monitoring are conducted securely and only by authorized personnel.

5. Enhance help desk verification

In the incident described by Okta, attackers specifically targeted IT help desks, attempting to deceive them into resetting multi-factor authentication (MFA) for high-privileged users. Given the tactics used by the attackers, enhancing help desk verification processes becomes a critical defense mechanism. By adding multiple layers of verification, organizations can significantly reduce the risk of social engineering attacks succeeding, ensuring that attackers can’t exploit help desks as easily to gain unauthorized access.

Secfense’s microauthorizations, as part of their User Access Security Broker, directly address the recommendations of implementing MFA challenges and manager approvals to enhance help desk verification.

  1. MFA Challenges – Addressed by Microauthorizations in the Owner Scenario:
    • In the Owner scenario, microauthorizations act as an additional layer of security for users who are already logged in. By adhering to the principle of least privilege, this scenario ensures that even if a user is authenticated, they must re-authenticate or confirm their identity when accessing specific resources or performing certain actions. This is especially crucial for defending against threats like real-time phishing or malware attacks that might target an active session.
  2. Manager Approvals – Addressed by the Microauthorizations in the Owner Supervisor Scenario:
    • The Supervisor scenario of microauthorizations introduces a human verification element into the process. When a user attempts to access a compassionate resource or perform a high-risk action, a request is sent to selected and trusted individuals (like managers or supervisors). These trusted individuals then decide whether to grant or deny the request. This approach ensures that even if an attacker manages to deceive one layer of security, they will face another hurdle in the form of human verification.

In essence, Secfense’s microauthorizations, which can be seamlessly integrated at any stage of the user journey due to the invisible security layer of the User Access Security Broker, offer a robust solution to the challenges highlighted in the Okta case. By requiring both automated (MFA) and human (supervisor microauthorization) verification processes, they significantly enhance security against various threats, including unauthorized data exports and data leaks.

6. Activate and test alerts for new devices and suspicious activity.

This recommendation is crucial because by implementing it, organizations can quickly detect and respond to such unauthorized access attempts by activating alerts for new devices and suspicious activities. Immediate alerts mean that even if an attacker bypasses one security layer, their unfamiliar activity or device can trigger a warning, allowing for rapid response and mitigation.

Secfense’s User Access Security Broker operates at the HTTP protocol level, a pivotal point in web traffic. Being positioned here allows it to monitor all incoming and outgoing traffic meticulously. This strategic placement means that Secfense can swiftly detect anomalies in traffic patterns, such as unfamiliar devices trying to access the system or unusual request patterns that might indicate malicious activity. The system can instantly trigger an alarm when such anomalies are detected, notifying the security admin. This real-time monitoring and alerting capability ensures that potential threats are identified and addressed promptly, further enhancing the organization’s security posture.

7. Limit Super Administrator roles and implement PAM

Attackers who gain control of super admin accounts can inflict significant damage, access sensitive data, or manipulate system configurations. By limiting the number of super administrator roles, implementing privileged access management (PAM), and delegating high-risk tasks, organizations reduce the potential attack surface and ensure that the damage can be contained even if one account is compromised.

While PAM solutions focus on a select group of privileged users, they often leave out the vast majority of regular users in an organization, creating a potential vulnerability. Secfense’s User Access Security Broker addresses this gap. Instead of focusing solely on the privileged few, Secfense offers protection to all users, ensuring that every account, regardless of its privilege level, is secured. This comprehensive approach ensures that while PAM solutions guard the “crown jewels” of an organization, Secfense acts as a protective shield for the broader user base. In essence, while PAM solutions are like specialized security for the vault in a bank, Secfense ensures that the entire bank, from the front door to the teller counters, is also secure. Combining both gives an organization a holistic security approach, covering its most privileged and regular users.

8. Mandate admins to sign in from trusted devices with phishing-resistant MFA

By ensuring that admins sign in only from managed devices, organizations can ensure that the devices used have the necessary security configurations and are free from malware or other threats. Implementing phishing-resistant MFA adds another layer of security, ensuring that even if credentials are stolen, they alone are not enough for access. Limiting access to trusted zones further ensures that even if attackers have the right credentials and device, they can’t access the system from just any location, adding another hurdle for potential attackers.

Secfense directly addresses the recommendation of mandating admin sign-ins from managed devices with enhanced security measures. Through its microauthorizations, Secfense enforces additional verification steps during sign-ins or specific actions, acting as a fortified multi-factor authentication. The Full Site Protection feature ensures that users, especially admins, can only authenticate from trusted networks, aligning with the principle of restricting access to trusted zones.

Secfense’s Answer to Help Desk MFA Bypass

Recent revelations from Okta have spotlighted a sophisticated social engineering tactic targeting IT help desks and super administrators. Attackers have been manipulating these desks to reset Multi-factor Authentication (MFA) for high-privileged users, particularly super administrator accounts. This breach has allowed them to impersonate users within organizations, compromising security. Okta has since provided a series of recommendations to counteract these threats. At Secfense, we’ve taken a keen interest in these recommendations and wish to demonstrate how our User Access Security Broker (UASB) can be a pivotal tool in implementing these security measures. By testing Secfense UASB, organizations can benefit from comprehensive MFA protection for their apps, introduce microauthorizations for an added layer of security, and enjoy full site protection that offers VPN functionalities without the associated costs. We also provide a checklist for a seamless transition to a passwordless environment. Dive in to understand how Secfense can fortify your organization’s defenses.

Antoni takes care of all the marketing content that comes from Secfense. Read More


We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk



We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director


Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera


Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT