Device Trust is better with proof
Okta Device Trust gives you no real proof that your corporate-owned devices are accessing your most sensitive resources. With its device-attested credentials, Smallstep brings high-assurance device identity to your Okta SSO flows.
Okta's device trust solution
Okta is an industry leader in Identity and Access Management (IAM) because of their best-in-class user identity model, massive integration ecosystem, and enterprise reliability. With Okta Device Trust, customers can:
- Authenticate users with SSO and Adaptive MFA.
- Ingest device and posture signals from MDM / EDR solutions (like Intune, Jamf, Workspace ONE)
- Apply conditional access policies based on risk.
Okta Device Trust isn't device identity
Okta Device Trust gives you strong user authentication and rich device signals. Those signals describe posture and management state. They do not, by themselves, create a cryptographic proof that the request is coming from the same physical device you enrolled.
- Signals rely on software state that can be cloned or replayed.
- Session artifacts can be stolen and reused from a different endpoint.
- It is hard to prove that a login is bound to a specific hardware device.
Extend Okta to include true device identity
Smallstep unites Okta’s user identity, your MDM platform, and Device Attestation (ACME DA) to provide the strongest possible guarantee that only trusted, company-owned devices can access critical applications and resources. Smallstep serves as an external Identity Provider (IdP) factor for Okta, using industry-standard OpenID Connect (OIDC) flows and SCIM sync for efficient cross-domain identity management. This seamless integration strengthens your Okta environment by adding high-assurance device identity.
- Issue hardware-bound keys from TPM or Secure Enclave
- Attest the device and presents proof inside the Okta SSO flow
- Require device proof only for your most sensitive apps
| Smallstep Device Identity | Okta Device Trust | |
|---|---|---|
| Device identity proof | Hardware-backed device attestation (TPM/Secure Enclave/TEE) via ACME | Software-derived; limited or platform-specific hardware attestation |
| Binding / export resistance | Keys are hardware-bound; credentials are non-exportable | May be exportable or clonable depending on platform & controls |
| Okta integration model | Operates as an external Identity Provider inside Okta SSO | Native feature within Okta |
| End-user experience | A seamless experience with no end-user interaction required | Varies by OS and management tooling |
| Platform coverage | Hardware-backed keys across Windows, macOS, Linux, ChromeOS, iOS | Limited support for hardware-bound keys (Windows only) |
| Policy control | Choose which SSO-protected apps require device proof | Limited granularity relative to app-by-app device proof |
| Security posture | Complements user auth with strong device auth | Susceptible to software credential reuse |
Scroll to the right to see more →
Raise the bar on Device Trust
Use Smallstep to strengthen device trust for the Okta-federated systems that carry the most business risk. Okta stays in charge of users, groups, and app policies. You choose which Okta apps enforce Smallstep's device checks, so you can apply hardware-backed identity exactly where you need it.