Exploiting Token-Based Authentication Attacking—and Defending—Identities

Exploiting Token-Based Authentication: Attacking—and Defending—Identities For more than 20 years, token-based authentication has enabled identity verification to service providers (SPs) without sending usernames and passwords over the network. Token-based authentication is based on trust in an identity provider (IdP), which creates tokens to be consumed by SPs. But techniques for exploiting token-based authentication put this trust at risk. / There are at least two types of exploitation techniques: stealing tokens (aka token replay) and forging tokens. MITRE has categorised these attacks as T11134/001 and T1606, respectively. Regardless of the technical implementation of token-based authentication (e.g., Kerberos, SAML, OAuth), the latter technique requires getting access to used cryptographic secrets. / This demo-packed session will cover both attack techniques. You will learn how adversaries conduct token-replay attacks and how to protect against them. You will also learn how adversaries forge tokens to impersonate users and how to detect and prevent such exploitation. / Although attack techniques are provider-agnostic, the live demonstrations in this session will use Microsoft on-premises and cloud identity platforms. Speaker: Nestori Syynimaa, Principal Identity Security Researcher | Microsoft