• tl;dr sec
  • Posts
  • How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication

How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication

An excellent Twitter thread by Dev Akhawe on the value of making this switch, and challenges and lessons learned along the way.

I keep coming back to this excellent tweet thread by Devdatta Akhawe, so I’ve copied it here for easy future reference.

1/ Recently, we switched Figma’s Okta to only allow phish-proof webauthn/FIDO MFA. I wanted to share a few things that helped us and might come in handy for any other security team.

2/ Moving to FIDO/Webauthn only is one of the most important risk reduction steps for any enterprise but transition is not easy. I am lucky that Figma leadership & IT team deeply cares about security & was immediately onboard with this change; otherwise, get them onboard first!

3/ There’s enough data now on the impact & prevalence of phishing; & webauthn is the only real way to stop it. With wide support on ID providers, hardware, & software, it has never been easier to make the case for webauthn. IT, in particular, is a critical partner here!

4/ Sign-up for Yubidelivery, Yubico’s service that will ship Yubikeys to your employees anywhere in the world while giving you and your finance team a single invoice. We provided the 5ci, since it has both a lightening and usb-c connector

5/ With TouchId / Win Hello, your employees likely already have laptops that natively support a biometric webauthn provider. Evangelize it with clear guidelines on how to set these up! Touchid is easily the most popular FIDO provider for us

6/ The nice thing about Okta is all the options around configuration it provides. We started with requiring FIDO while accessing critical-risk applications (e.g., AWS). You could log-in to other apps (including to register a new FIDO device) without a FIDO device.

7/ This is obviously not secure but was a good way to get FIDO adopted and in use. Warning: Okta’s power means policies can combine in surprising ways; during rollout, we used our SIEM (Panther) to write alerts for our invariants (e.g., all AWS access actually had a webauthn MFA)

8/ Next, we configured Okta so that employees in critical risk functions could only use FIDO. We rolled this out in stages, starting with Security then IT then Infra and so on. Security HAS to volunteer first—if your own team isn’t ready, why should anyone else be?

9/ In parallel, we evangelized in internal channels that everyone needs at least one FIDO device registered; we pinged people on Slack and monitored the logs till everyone had at least one device registered.

10/ (early on, our partners in IT had already started requiring new hires register at least one FIDO device )

11/ Okta lets you configure your setup so that everyone is required to register one FIDO device. Once we knew everyone had a device registered, we flipped the switch to enforce this policy: now, Okta will require a FIDO device configured (not required to use it yet)

12/ Next, we updated Okta config so that login-via-Okta for particular apps required webauthn. Good apps are ones that are important, but not urgent (i.e., any issues requiring support aren’t end of the world). e.g., L&D, expense reporting apps

13/ Mobile device auth is a big issue but browsers on both iOS and Android support FaceID as a webauthn authenticator. Evangelize it! You really only need Yubikey once: register on your computer and use it on your phone, to then register FaceID

14/ One big issue: if you delegate GSuite auth to Okta, Android does not support FIDO in the native login flows. You will need to implement a special Okta group that allows use of push auth (Okta lets you set membership in this group to auto-expire in 2hrs).

15/ This special okta group that auto-expires membership in 2hrs is something you will need for lockouts etc once webauthn enforcement is enabled. And yes, I know, ironic that GSuite is the one product where webauthn is an issue, when Google launched this whole movement.

16/ Finally, before enforcing webauthn as the only way to authenticate to Okta, we spent a week where during working hours for IT and Security, only webauthn was supported. We turned off the policy before going home and turned it back on in the morning

17/ After a week of this, we flipped the switch to require webauthn as the only mode to MFA to Okta. Even then, I waited a week to feel comfortable saying this is done :) And feel grateful to work at a company where leadership supported this transition.