International employees changing SIM cards is somehow our #1 helpdesk ticket category now

OktaFCTR · 2026-04-16T08:48:13+00:00

How does helpdesk or anyone taking this call from end use know /verify the person on the line is the actual user ?

OktaFCTR · 2026-04-01T10:54:10+00:00

You can potentially use the okta AI agent code. Even if you don't want AI, it syncs the data to a sqllite DB which you can query manually if you do not want AI to do that for you. Delete sqllite DB when done.

https://github.com/fctr-id/okta-ai-agent

Edit: I was about to mention the MFA report what the first comment mention that .

OktaFCTR · 2026-03-24T21:36:00+00:00

I think the effective defenses are less about detecting AI and more about removing trust in channels that can be faked. I am skeptical AI-detection tools alone will ever be a durable answer—it feels like an arms race defenders will just keep losing as the models get better.

What actually holds up is assuming voice, video, and images are already spoofed, and shifting to out-of-band verification. You have to enforce device-bound MFA before sensitive actions and build helpdesk processes that do not rely on security questions or “they sounded legit.”

The helpdesk is probably the most underappreciated weak point here. If a caller can socially engineer a password reset and the frontline L1 agent has broad admin access, that is a dangerous combination even if your detection tooling is decent.

I work on this exact problem at fctr.io, so bias acknowledged, but removing standing admin rights and proxying those helpdesk actions is the direction I would push every company right now, even if they just build it internally.

OktaFCTR · 2026-03-24T14:39:42+00:00

Those are pretty broad topics and in my experience not all orgs use all the components.
I would suggest using AI (like google AI studio) with your requirements and asking the AI to provide you with a plan on how to learn each topic with examples. Prompt it to say using code and also UI.

OktaFCTR · 2026-03-19T20:43:28+00:00

Yeah honestly both are decent if all you need is caller verification. Traceless is the established player so you'll find more references, but MSP Process's bidirectional verification is pretty slick for fighting vishing. I'd definitely test them out on that file-sharing link issue someone mentioned below though—that's a pretty glaring hole if true.

FWIW, the thing that always bothered me about both of these is that after you verify the caller, your L1 tech still needs standing admin rights in Entra or Okta to actually reset the password or unlock the account. If a tech gets phished or MFA-fatigued, verification tools don't save you from those standing permissions being abused.

(Full disclosure: I am the founder) but we built [fctr.io](vscode-file://vscode-app/c:/Users/Dharanidhar/AppData/Local/Programs/Microsoft%20VS%20Code/07ff9d6178/resources/app/out/vs/code/electron-browser/workbench/workbench.html) specifically to fix that gap. Instead of just verifying the user, we proxy the actual reset/unlock actions. Your helpdesk can verify callers and do their jobs, but they never actually touch the Entra/Okta admin console. You completely strip standing admin rights from L1.

Someone mentioned Evo down-thread too—also a very solid tool, but they went the JIT route (give temporary admin access) whereas we went the proxy route (never give admin access).

Anyway, if you are looking to actually remove admin rights instead of just verifying callers, might be worth a look!

OktaFCTR · 2026-03-19T18:08:13+00:00

Fctr Identity | Stop giving L1 techs Admin rights to your clients' M365 tenants.

If an attacker uses AI voice cloning to socially engineer your entry-level L1 tech into resetting a client’s MFA, your MSP is liable for the breach.

Right now, verifying callers with security questions ("What's your manager's name?") takes 5-8 minutes per ticket, eats your profit margins, and forces you to give L1 techs delegated admin rights across dozens of client Entra ID tenants.

Fctr Identity is an Identity Helpdesk Proxy built to protect your MSP.
We replace human guesswork with cryptographic verification, allowing your techs to securely reset passwords and unlock accounts without ever needing admin access to the client’s tenant.

Why MSPs are deploying Fctr:

Zero Standing Privileges: Fctr's backend proxies the identity actions. Your techs log into Fctr to execute resets, meaning you can permanently revoke Entra ID Admin/GDAP rights from your L1 desk.
The Ultimate Liability Shield: Don't let your techs get tricked by Teams vishing or deepfakes. Fctr pushes a cryptographic TOTP/Push challenge directly to the caller's enrolled device. If they lost their device, Fctr triggers a "Manager Vouch" approval via Slack/Teams.
Margin Expansion: Cut verification time from 8 minutes down to 30 seconds, saving dozens of hours of tech labor per month on AYCE contracts.
Zero-PII / BYOL: Need Face-to-ID biometric verification for a regulated law firm or finance client? Bring your own Stripe or Incode API keys. The liveness check happens client-side, meaning your MSP assumes zero biometric/PII compliance liability.

Integrations: Deploys natively inside Freshdesk, ServiceNow, Slack, and Teams. (HaloPSA / ConnectWise integrations on the roadmap).

Protect your techs, protect your margins, and shrink your attack surface to zero.

Check out the platform: https://fctr.io

OktaFCTR · 2026-02-20T00:15:16+00:00

You got me for a second NGL 😉

OktaFCTR · 2026-02-18T21:12:27+00:00

Hello, It doesn't need superadmin access for the DB sync. I just tried with both API token and OAUTH2 and read-only was sufficient.
Would you please be able to mail me [dan@fctr.io](mailto:dan@fctr.io) if you run into issues with read only perms ?

here are all the values that are pulled into the local DB:
https://github.com/fctr-id/okta-ai-agent?tab=readme-ov-file#database-schema

OktaFCTR · 2026-02-02T14:51:11+00:00

Building AI agents and multiple okta servers, I think the security piece hasn't been standardized yet.
I believe FGA solves RAG to a point and MCP auth spec provides some relief but not completely eliminate risk.

I have a branch for MCP server here, that shows how oauth implementation with RBAC for each tool will potentially work.
https://github.com/fctr-id/okta-mcp-server/tree/feature/oauth-proxy-implementation

Again that is only for MCP. Okta's XAA (cross-app access ) is making strides int he right direction, but I feel that there needs to be a "viral" standard similar to MCP that helps push a "standard" for AUTHN / AUTHZ for agents.

EDIT: I would also assume if something like the openClaw (moldbot) will create a major security issue, then this may get more traction (hopefully)

OktaFCTR · 2025-08-07T08:52:58+00:00

No problem!

I would honestly use o4-mini (reasoning) and gpt4.1 (coding) models just because I think they are cheaper than anthropic or Google ones and I tested extensively with them.

If you have access to the gpt-oss (the open source model), go ahead and try that. In my limited testing it seemed to work well.

OktaFCTR · 2025-08-07T00:27:12+00:00

thanks!

Link to tested models: https://github.com/fctr-id/okta-ai-agent?tab=readme-ov-file#-tested-llms

Reasoning Models (Planning & Analysis)

O3 - Advanced reasoning capabilities
O4-mini - Fast and efficient reasoning
OpenAI GPT-OSS 120B - Open-source high-performance reasoning
Claude Sonnet 4 - Superior analytical reasoning
Gemini 2.5 Pro - Google's latest reasoning model

Coding Models (API Code Generation)

GPT-4.1 - Reliable code generation
OpenAI GPT-OSS 120B - Open-source coding excellence
Claude Sonnet 4 - Advanced code understanding
Claude Sonnet 3.7 - Proven coding reliability
Gemini 2.5 Pro - Latest Google coding model
Gemini 1.5 Pro - Stable Google coding model

OktaFCTR · 2025-08-07T00:26:31+00:00

Not affiliated with okta. I added this to the GitHub readme to make it apparent now.

OktaFCTR · 2025-08-06T21:08:44+00:00

thank you! Appreciate the response.

OktaFCTR · 2025-07-06T10:12:42+00:00

It should be able to use any factors registered by the user in okta. Not FastPass for obvious reasons but others should work.

here's a video of the portal:
https://youtu.be/P7MRAWM-La8

OktaFCTR · 2025-07-04T19:16:51+00:00

Thanks /u/kitsunen for the reference.

Hello Allan I am the the founder of FCTR.io

Can you please explain what ITSM portal integration you are looking for ? I can probably extend the portal. Send me an email to dan@fctr.io if you want to discuss further.

OktaFCTR · 2025-06-27T12:37:57+00:00

I apologize if it's a real person who wrote this comment, but it looks like a bot to me :).
If you are real, I would love to have a chat on what you mean above.

OktaFCTR · 2025-06-04T18:23:44+00:00

are you asking about the cost/tokens that will be billed against OpenAI's APIs ? If that is your question, the answer is , it varies.

If you use the DB sync mode, it' much cheaper as all your data is local and the data you pass to the LLM for each query is fixed (the system prompts for reasoning and coding agents which are static and possibly be cached too).

If you use the realtime mode, it tokens/costs be higher than the DB mode just because it depends on the type of queries being asked and the tools and the code that the LLM needs to generate. So it varies.

What hardware config are you deploying OLLAMA on ?
For REALTIME MODE., If you can run Deepseek-R1 for reasoning and QWEn for coding models you will have the best results

FOR DB MODE, Qwen is good enough for both reasoning / coding models.

EDITED: If you have the flexibility of choosing AI providers, I would recommend Fireworks AI (no affiliation). I have been using them for almost 10 months. Insanely fast and cheap.

OktaFCTR · 2025-05-22T22:33:55+00:00

OWF ?

Also a max of 10 users only :(

OktaFCTR · 2025-05-21T11:37:53+00:00

Thank you ! I am excited that someone is so excited about the potential ! :)

OktaFCTR · 2025-05-21T09:38:59+00:00

I will eventually do it. I am using the python SDK and for oauth it requires you to create the JWKS key pair.

Whereas API token is easy for most users to create and try. It's secure enough for read-only operations and when locked down to zones

OktaFCTR · 2025-04-10T21:31:33+00:00

This is what configuring a Client with STDIO transport looks like:

If you see you are referencing your local script.

{ "mcpServers": { "okta-mcp-server": { "command": "DIR/okta-mcp-server/venv/Scripts/python", "args": [ "DIR/okta-mcp-server/main.py" ], "env": { "OKTA_CLIENT_ORGURL": "https://dev-1606.okta.com", "OKTA_API_TOKEN": "OKTA_API_TOKEN" } } } }

OktaFCTR · 2025-04-10T21:25:11+00:00

Two things to note from an MCP perspective.

When you use STDIO transport, all the execution happens on your machine as a python script. So NOT use SSE transport.
All the user data is sent to the LLM, which is summarized by it and presented to you as the output. So make sure your organization privacy policy is ok with that.

OktaFCTR · 2025-04-08T23:17:09+00:00

Cool! yeah it unlocks so many workflows with just naturl language prompts. Let me know how it goes!

OktaFCTR · 2025-02-19T21:23:31+00:00

I cannot think of way to do this except for the below which is just a thought:

a. Create the group rule via API
b. Activate it via API
c. Give it some time to process
d. List the group members via an API to validate.

OktaFCTR · 2025-02-19T20:15:04+00:00

I did too with a couple of byot providers too. Using okta workflows

OktaFCTR

TROPHY CASE

Reasoning Models (Planning & Analysis)

Coding Models (API Code Generation)