COMMENTARY. Authentication tokens aren't actual physical tokens, of course.
Authentication tokens are an important part of cybersecurity.
Which means that anyone with a token has a gold key to corporate systems - without requiring a multifactor authentication challenge.
The Risks of Employee Convenience A token's lifetime is often leveraged to provide a tradeoff between security and employee convenience, enabling users to authenticate once to maintain enduring access to applications for a specified time.
Threat actors are increasingly obtaining these tokens through adversary-in-the-middle attacks, where the attacker is positioned either in the middle between the user and legitimate applications to steal credentials or tokens, and pass-the-cookie attacks, which nab session cookies stored on browsers.
They are more easily compromised by threat actors who can capture tokens directly from poorly secured personal devices.
Once a threat actor has a token, they also have whatever rights and authorizations are imbued to the user.
The longer the token is active, the more they can access, steal, and damage.
While expiring session tokens more frequently will not stop these sorts of attacks, it will greatly minimize the risk footprint by shortening the window of opportunity for a token to function.
We often see that tokens are not being expired at regular intervals, and some breach reporting also suggests that default token expirations are being deliberately extended.
Token Attacks in the Spotlight Last year, several breach cases involving captured authentication tokens appeared in the news.
Once in the service account, threat actors were able to capture other customer session tokens from HAR files stored in ServiceNow.
Notably, on Nov. 23, 2023, Cloudflare detected a threat actor targeting its systems using session tokens from the Okta breach.
They then used it to compromise Exchange and Active Directory accounts by exploiting an unknown bug that allowed enterprise systems to accept session tokens signed with the consumer signing key.
It is possible this breach would not have been as impactful if tokens had been more aggressively expired.
Organizations should expire authentication tokens at least every seven days in geographies where the enterprise has staff.
In regions without office staff, tokens should be expired much more frequently.
You do not control the security controls of these devices, and it leaves too many tokens out of corporate reach.
Longer token expiries provide user convenience - but at a high security price.
Tokens are actively being targeted by threat actors, so asking users to reauthenticate weekly is a small inconvenience when considering the very high total cost of a breach.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 13 May 2024 14:10:14 +0000