How MFA is Bypassed: 0ktapus Explained

Learn more about the phishing attacks targeting Okta users and how Beyond Identity can prevent them.


Hi, I'm Joshua from Beyond Identity. When it comes to cyberattacks, things are getting more sophisticated. In 2022, we learned about the massive phishing attack targeting Okta users codenamed: 0ktapus. This attack bypassed these Okta users' one-time code-based MFA and specifically targeted Okta accounts, as the attackers knew they could get around these Okta defenses.

According to Group-IB, the attackers targeted employees of these companies. These employees received text messages containing links to phishing sites that mimicked the Okta authentication page for their organization.

The usual flow of the attack went like this. The threat actor sends SMS to employees. The victim accesses a phishing site that mimics the organization's Okta login page. The Victim enters corporate credentials on the phishing site. The victim then provides the 2FA code. The phishing site sends the compromised 2FA code to the attacker. The threat actor completes the login and steals data. They steal the information, and often make changes to the accounts to maintain persistence and to escalate access. Sensitive and private data is exfiltrated.

The researchers detected 169 unique domains or companies involved in the attack.

This type of attack is impossible with Beyond Identity. First, there's no password or phishable factors. Beyond Identity replaces passwords with a public/private passkey pairing, with the private key being stored on a user's device in the TPM. Since this key can never leave the TPM or secure enclave, it can't be phished or leaked. The user's identity is cryptographically bound to each of their devices with a unique public/private key pair. So an adversary cannot phish the credentials and one-time code, nor can they log in from a device that does not have a valid private key.

Beyond Identity's crowning achievement is our robust device security posture and continuous authentication capabilities. Beyond Identity enables you to define robust security policies that a device must meet for the authentication to be approved. The policy engine can evaluate for things like, if the firewall is enabled, whether the operating system is up-to-date, and when and where a user is logging in from. If a device does not meet these policies, the authentication will be unsuccessful. And you can even automatically quarantine that device.

After the initial authentication, Beyond Identity automatically checks that the device remains within policy. As frequently as every ten minutes. Re-validating the device security in the background without any added friction to the user. A truly invisible, continuous authentication experience. With Beyond Identity, you are always verifying and never trusting. Let us take on your burden of authentication, and help you lay down your foundation for your zero trust architecture.