Okta looked very bad during the entire saga where they kept denying they were hacked until the proof was insurmountable. Pretty sure there was a large discussion on HN at the time too.
Agree they have shortcomings too, I guess, what I was trying to say is its best not to put all your eggs in one basket and to spread them across different products/companies.
To toot my own companies horn[0] we designed our authentication protocol OpenPubkey[1] to have two signers on tokens:
1. The IDP signer (like microsoft or google)
2. The Cosigner (like bastionzero.com)
...so that even if microsoft's signing key is stolen, the attacker also needs to compromise the cosigner's signing key as well. It's like multisig for authentication tokens.
I don't know if OpenPubkey would have helped in this particular case as the details are still coming out[2], but I think the future of authentication schemes must require that authentication tokens must be signed by multiple signers at different organizations; Authentication systems with single point of compromise signing keys is too fragile. Or put another way authentication via multiple independent roots of trust is just too powerful of a security tool not to use.
[2]: It appears the key stolen was an MSA key, not an Azure AD signing key. The MSA architecture might not fit into the OpenPubkey model (or it might I don't know enough about MSA signing keys work to say). Had it been an Azure AD signing key then OpenPubkey would mitigate the theft of an Azure AD Signing key. https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
https://techcrunch.com/2022/12/22/okta-breach-source-code-gi...
Okta looked very bad during the entire saga where they kept denying they were hacked until the proof was insurmountable. Pretty sure there was a large discussion on HN at the time too.