Okta Chief Security Officer David Bradbury warns of a growing shift of cybersecurity threats from pre- to post-authentication attacks.
Historically, attackers have primarily focused on pre-authentication tactics – tricking victims into revealing their credentials or gaining unauthorized access before login. However, recent trends reveal a new cybersecurity battleground: post-authentication attacks.
Pre-authentication refers to the security measures and processes that occur before a user is granted access to a system or application, such as username and password, multifactor authentication (MFA), and biometric authentication. While post-authentication involves the security measures and processes that occur after a user has been successfully authenticated and granted access to the system or application, including session management, token binding, and continuous authentication.
“The battleground has really shifted over the past 12 months,” Bradbury told SDxCentral in an interview. “It's no longer about pre-authentication/before login attacks, it's about post-authentication attacks. [Threat actors] have figured out that it's easier to steal session tokens either by malware, phishing, [or] direct access.”
Session tokens are unique identifiers generated after a user logs in, which allow the user to remain authenticated across multiple interactions without needing to re-enter credentials. These tokens can be stored as cookies in the user's browser.
“It's easier to go after these tokens, these strings of numbers and letters, that if you have them and you insert them into your own browser you can access all the applications that they can access,” Bradbury said. “That is far easier to perform than trying to hack into someone's MFA trying to go through the front door.”
“Why go through the front door when the window is open,” Bradbury added.
How Okta addresses post-authentication threats Okta has observed a significant increase in attacks targeting tokens and token security, Bradbury noted.
“As we start to think about how to address this, it's not simple,” Bradbury said. “If we had the mechanism, which was provided by WebAuth some years ago when their specification was drafted, we would’ve been able to bind these tokens to the browser that you're currently using. But, sadly, that wasn't implemented or adopted by Google or Microsoft in their browsers.”
Google did discuss the idea of device-bound credentials during the Google Cloud Next '24 event.
“We are a key partner building this with Google to adopt this for all Okta’s customers and to bind these tokens so that no one can steal them, that they will actually cryptographically secure these using the TPMs [trusted platform modules] in your laptops to ensure that when you log in to a corporate application, the token that sits in your browser as a cookie cannot be taken by a threat actor,” Bradbury said.
This means that even if a user falls victim to malware or phishing, the tokens in their browser cookies cannot be stolen by attackers.
“Obviously there are privacy concerns around cookies still and so we need to make sure that we do this appropriately, but there's a whole body of work at the moment within Okta that is very much focused on this post-authentication attack vector,” Bradbury said. “We've done some really good work in making it much harder for [attackers] to steal people's credentials. [MFA] is now prevalent, biometrics is present in every phone [and] on every laptop. But the outcome of that is that threat actors have moved to where the easier path is and the easier path is here. And now we need to close that down as quickly as we can.”