Cybersecurity became real for me the day my colleague’s laptop vanished from his desk. We were working at a defense contractor, and he had downloaded a government report on cyberthreats. Unbeknownst to him, it was laced with a backdoor. When he returned from a trip, his machine — along with the only copy of his master’s thesis — were gone, confiscated by our security team. That was the moment the threat landscape moved from an abstract concept to a tangible reality. This pivotal lesson made the abstract tangible: The frontline of cyberespionage ran directly through the desk right next to mine.
That Was Then; This Is Now
That experience has shaped my perspective ever since. Today, the frontline has expanded from a single desk to every home office, coffee shop and airport lounge in the world. The traditional, brick-and-mortar perimeter has dissolved, rendered obsolete by a fluid borderless ecosystem of cloud applications, third-party vendors and a distributed workforce.
This new reality creates a profound challenge for leaders. When the walls are gone, where does security begin? The answer is identity. Without a clear perimeter, a user’s identity is the one constant, single control plane through which every access request must pass. It has become the heart of any modern enterprise security strategy.
Identity Is the Primary Target
This shift has not gone unnoticed by our adversaries. When employees began working remotely, attackers adjusted their tactics accordingly. They saw with great clarity their new opportunity: Users were at home, often on less secure networks, and with their identity as the weakest link. As a result, identity became the most attacked vector. Credential theft and sophisticated phishing have evolved from fringe threats into the central tactics of the modern adversary.
Security teams can no longer simply block access from unapproved locations when legitimate work is happening everywhere. If a cybercriminal steals legitimate credentials, they gain unfettered access to critical resources with little friction. This is one scenario that keeps CIOs and CISOs up at night. As somebody once told me, phishing is the ultimate threat because, if an attacker gets the keys to the kingdom, all other security controls — network, endpoint and cloud — become irrelevant. They can simply walk in the front door.
Security that Serves the User
Confronting this reality requires us to evolve our defenses at the speed of the adversary. A few years ago, the conventional wisdom was that deploying any form of multifactor authentication (MFA) would solve the problem. A 2019 study famously claimed that MFA could stop 99% of phishing attempts. But in the fast-moving world of cybersecurity, that advice is now dangerously outdated. Today, we know that traditional push- and SMS-based MFA are completely insufficient, because adversaries have developed sophisticated techniques to bypass them.
While MFA remains an essential layer of security, we must now focus on the quality and assurance level of our authentication methods. At Okta, we’ve centered our strategy on a modern approach that is both more intelligent and crucially more seamless. For the first time in my career, I can confidently say that we can significantly raise the security bar and improve the end-user experience simultaneously. The key is to move away from cumbersome, friction-filled authentication methods and embrace the phishing-resistant, biometric technologies that people already use every day.
What many don’t realize is that a simple Face ID or Touch ID is, in fact, already multifactor. It combines something you are (your biometric) with something you have (your registered device), providing a high level of trust in a single, frictionless action. The goal is to create an experience where the speed bump of security feels more like a carriage return — you just do it, and you’re in.
Extending User Security to the Enterprise
For the enterprise, we can take this even further. Beyond just phishing-resistant authentication, we can gather rich, contextual signals from the device itself, asking questions like: Is it a managed device? Does it have the right security posture? Is it integrated with our XDR solution? From there, we can build a complete picture of risk and make smarter access decisions behind the scenes. This is the philosophy behind our work at Okta: to provide secure, passwordless authentication that delivers a profound cultural win, transforming security from a blocker into an enabler.
Want to hear more on this topic? Listen to the full, unedited conversation with Jamie on the Threat Vector Podcast.
1“One simple action you can take to prevent 99.9 percent of attacks on your accounts,” Microsoft Security, August 20, 2019.
