About Secret Double Octopus
Who is Secret Double Octopus?
Secret Double Octopus is the global leader in next-generation workforce authentication solutions. We help mid-market to Fortune 100 enterprises move to higher security, frictionless, and unified authentication platforms for MFA and passwordless authentication. We've been recognized as a Gartner "Cool Vendor" and named "Best-in-Class" passwordless solution by AITE Group in 2021.
What makes Secret Double Octopus different from other authentication providers?
We're one of the few vendors offering deep desktop integration for both Windows and Mac, with true passwordless capabilities that work across heterogeneous environments. Unlike solutions that only work in single-vendor ecosystems, we support multiple identity providers, cloud environments, and legacy systems.
What pain points does Secret Double Octopus solve?
We address critical business challenges including:
- Security risks from compromised passwords (61% of data breaches involve compromised credentials)
- High helpdesk costs from password resets (25-45% of helpdesk calls)
- Phishing and ransomware prevention
- Compliance requirements for MFA, especially on desktops
Passwordless vs Traditional MFA
Is passwordless more secure than traditional MFA?
Yes! Passwordless is the next evolution of authentication. While traditional MFA adds a second factor to passwords, passwordless eliminates the password entirely - removing the primary target of most cyberattacks. It uses "something you have" (phone/FIDO key) and "something you are" (biometrics), making it much harder to compromise.
How does passwordless prevent phishing and ransomware?
By removing passwords entirely, there's nothing for attackers to steal through phishing. For ransomware, we eliminate RDP brute force attacks (responsible for 47% of ransomware incidents) since there are no passwords to crack.
Does this stop Man-in-the-Middle attacks?
Absolutely! Our solution uses advanced cryptography including Shamir Secret Sharing, which splits encryption keys across multiple channels. Even if one channel is compromised, attackers can't reconstruct the key, making Man-in-the-Middle attacks virtually impossible.
Getting Started & Deployment
How fast can we deploy Secret Double Octopus?
Deployment is surprisingly quick! Our solution is designed for rapid implementation with minimal disruption to your existing infrastructure. Most organizations can be up and running within days, not months.
How do users get enrolled?
Enrollment is simple and fast! Users receive an email with:
- A download link for the Octopus app
- A QR code to scan
- They install the app, scan the code, and start using passwordless authentication immediately
- Alternatively, users can enroll with a manual code if QR scanning isn't possible
Do we need to change our existing infrastructure?
Not at all! Our solution works with your existing Active Directory, LDAP, and identity providers. We integrate seamlessly without requiring major infrastructure changes.
Does Secret Double Octopus require domain-joined machines?
No, domain joining is optional and not required. Our solution works flexibly with both domain-joined and non-domain-joined machines.
Platform Support & Compatibility
What operating systems are supported?
We support:
- Windows 10 and many other Windows versions (including Windows 7)
- macOS 10.X and newer
- Windows Server environments via RDP
- Linux servers through LDAP and RADIUS integration
Does it work with FileVault encrypted Macs?
Yes! Our solution is fully compatible with FileVault encrypted Mac systems.
Can multiple users register on one device?
Absolutely! Our solution supports multiple user accounts on a single device, including domain users, administrators, and other account types.
Does it work in air-gapped environments?
Yes! We can deploy completely on-premises with FIDO-based authentication for air-gapped environments with no cloud component required. If phones are permitted, we also support offline authentication via Bluetooth between the mobile app and PC.
Integration Capabilities
Does Secret Double Octopus support OIDC (OpenID Connect)?
Yes! Our platform supports modern authentication protocols including OIDC, enabling seamless integration with cloud applications and identity providers.
What about WS-Federation and WS-Trust support?
Absolutely! We support these enterprise federation protocols, making integration with existing enterprise applications and legacy systems straightforward.
Why should we use federation?
Federation provides single sign-on capabilities, centralized identity management, and simplified user experience across multiple applications. It reduces password fatigue and improves security by centralizing authentication policies.
Can we use Office 365 without federation?
Yes! Our solution can work with Office 365 in multiple ways - either through direct integration or by extending your existing identity provider's capabilities to provide passwordless authentication to Office 365.
Does it integrate with Okta and Azure AD?
Yes! We integrate with both Okta and Azure AD, as well as other major identity providers. We can extend their MFA capabilities to desktops and provide passwordless authentication across your entire environment.
What about SAML integration?
Absolutely! Our solution supports SAML protocol integration and can act as a SAML Identity Provider, enabling SSO across your SAML-enabled applications.
Does it support RADIUS for VPN access?
Yes! We support RADIUS authentication, making it compatible with VPN solutions from Cisco, Checkpoint, SonicWall, Palo Alto Networks, and others.
Can it integrate with Active Directory and LDAP?
Yes! We support both LDAP (port 389) and Secure LDAP (port 636). For passwordless authentication, we require LDAPS to ensure credentials are properly encrypted during our password management process.
User Experience
How does desktop login work?
It's incredibly simple! Users press Ctrl-Alt-Del, see their username with "Octopus App" in the dropdown, click the arrow, see "Check Your Phone for Authentication," approve on their phone with biometrics (FaceID/TouchID), and they're logged in!
What's the mobile experience like?
On mobile, we provide an exceptional experience including support for iPhone's "long press" feature. Users can hold their finger on the password prompt for 2-3 seconds, get a popup asking to log in, and use FaceID for biometric authentication - no password typing required!
What if users forget their phone?
No problem! Administrators can issue a 12-hour FIDO key as a backup. Users can also enroll a new phone remotely using our self-service portal.
What if a phone is lost or broken?
Our platform supports mobile account recovery for both iOS and Android. Users can request a new enrollment email or use our self-service portal to re-enroll their new device.
Do users need to install an app on their phone?
While our mobile app provides the best experience, we also support FIDO2 security keys for users who prefer not to use their phone. We offer multiple authentication options to fit different preferences.
Security Features
How is data encrypted?
We use state-of-the-art encryption with multiple layers:
- Standard TLS encryption for all communications
- Advanced Shamir Secret Sharing to create symmetric keys
- AES256 encryption for additional protection
- All channels are quantum-safe encrypted
Are biometrics stored centrally?
No! All biometrics are stored locally on the user's device in its secure enclave. We never store biometric data centrally, making a centralized breach of biometric information impossible.
How does offline authentication work?
For offline scenarios, our mobile app stores encrypted passwords locally in the device's secure element. Authentication happens via Bluetooth between the phone and computer, ensuring users can log in even without internet connectivity.
Is the solution FIPS 140-2 compliant?
Yes! Secret Double Octopus is FIPS 140-2 certified, meeting federal security requirements for cryptographic modules.
Enterprise Features
Does it support privileged access management?
Yes! We provide MFA for privileged access to Windows servers via RDP, Linux servers through PAM modules, and can protect both shared admin accounts and local accounts with proper auditing capabilities.
Can administrators remotely disable accounts?
Absolutely! Administrators can revoke credentials at any time for online access. The system integrates with Active Directory status changes and supports automated policies for account lifecycle management.
What about compliance with regulations like CMMC?
We support all CMMC levels (1-5) with comprehensive policies, annual risk assessments, ISO 27001 certification, and documented process optimization across the organization.
Does it provide audit trails?
Yes! Our solution maintains comprehensive audit trails of all user and admin activities, supporting forensic investigations and compliance requirements.
Management & Support
Is there a self-service portal?
Yes! Users can access our self-service portal to request new enrollments, manage their authenticators, and access SSO-enabled applications. The portal supports both end-user and administrative functions.
What support roles are available?
We provide four configurable roles: Admin, Helpdesk, Auditor, and User. Each role has different access levels that can be customized based on your organization's needs.
How does helpdesk support work?
Our helpdesk functionality allows support staff to issue emergency tokens, provide temporary access, enroll new authenticators, and manage user accounts - all with proper authorization and time-based controls.
What languages are supported?
The default language is English, but messages on PC agents can be configured for any language based on your global requirements.
Is support available globally?
Yes! We have no known country limitations and can support organizations conducting business anywhere in the world.
Deployment Options
Is this a cloud-hosted solution?
Secret Double Octopus is designed as an on-premises solution. We have an optional cloud component only for push notifications, which doesn't store any personally identifiable information (PII) or sensitive data.
Can it be deployed in private cloud?
Yes! Upon request, our on-premises server can be deployed in private clouds including AWS, Microsoft Azure, and Google Cloud Platform.
Is FedRAMP certification required?
No! Since our optional cloud component only acts as a pass-through for push notifications without storing PII or sensitive data, FedRAMP certification is not required.
What if we don't want push notifications?
If you prefer not to use push notifications, you can leverage OTP or FIDO tokens instead, eliminating the need for any cloud component entirely.
Business Value
What's the economic justification?
A recent Ponemon Institute study found that passwordless authentication provides average cost savings of $1.8M over two years through attack prevention, reduced helpdesk needs, fewer MFA solutions to manage, and lower employee downtime.
How much does it cost?
We use per-user-per-month subscription pricing. List pricing tops out at $6/user/month but typically costs less due to volume discounts and other available discounts.
How does pricing work for multiple devices?
Unlike other providers, we charge per user, not per device. A user with multiple phones, tablets, or FIDO keys still only counts as one license, providing excellent value for users with multiple devices.
Technical Integration
Does it have API support?
Yes! We provide comprehensive REST APIs that allow complete system control, including scripting, bulk updates, and integration with identity management solutions like SailPoint.
Can it work with Windows Hello for Business?
While Windows Hello for Business works well in Microsoft environments, our platform provides a unified solution for heterogeneous environments including Mac endpoints and multiple identity providers that Windows Hello cannot address.
Does it replace our existing MFA solution?
It can! Our solution can extend existing MFA solutions like Okta and ForgeRock to desktops with Octopus Lite, run in hybrid mode alongside existing solutions, or completely replace traditional MFA solutions when moving to passwordless.
What FIDO2 authenticators are supported?
We support any FIDO2-certified authenticator including Yubico YubiKeys, Feitian keys, and other certified hardware tokens. Our platform is FIDO2 certified, ensuring broad compatibility.
How does it handle account lifecycle management?
The system fully integrates with Active Directory and supports automated enrollment groups. We provide REST APIs for integration with IDM solutions and support configurable policies for account lifecycle management including automatic blocking after inactivity periods.
Why Choose Secret Double Octopus?
What's our key differentiator?
We're one of the few vendors providing true desktop passwordless authentication through deep Windows and Mac integration, while supporting heterogeneous environments that include multiple cloud providers and identity systems.
How do we compare to Microsoft's passwordless offerings?
While Microsoft provides good passwordless capabilities for Microsoft environments, we provide comprehensive solutions for mixed environments including Mac endpoints, multiple identity providers (Okta, Google, etc.), and legacy systems that Microsoft cannot address.
What if our users are concerned about app installation?
We offer multiple options! Besides our mobile app, we support FIDO2 security keys (including ones with built-in fingerprint readers), soft OTP tokens, integrated biometric sensors, and even phone call services for landlines to accommodate any user preference or policy requirement.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article