Q&A
Mastering Token-Based Authentication Defense and Management
Token-based authentication is secure, but not immune to attack. Learn how you can better guard your organization.
As organizations increasingly rely on token-based authentication to secure their systems, the need for understanding the vulnerabilities in these technologies has never been more critical. Dr. Nestori Syynimaa, Senior Principal Security Researcher at Secureworks and developer of the AADInternals toolkit, is at the forefront of exploring these risks.
As a teaser of his Live! 360 session (being held in Orlando, Fla. Nov. 17-22), titled "Exploiting Token Based Authentication: Attacking and Defending Identities in the 2020s," Syynimaa answers some of our most pressing questions that delve into the mechanics of token-based authentication, highlighting both its advantages and the serious threats organizations face when it's compromised.
And for more from Syynimaa, you'll won't want to miss his upcoming Live! 360 session, where he promises to equip IT pros with the practical skills needed to detect and defend against token-based authentication exploits. Register by Sept. 27 and save $400!
Redmond: Can you briefly explain the fundamental principles of token-based authentication and its advantages over traditional username and password methods?
Syynimaa: With token-based authentication, the roles of Identity Provider (IdP) and Service Provider (SP) are separated. The proof-of-identity (like username and password) are only sent to IdP (like Entra ID). When consuming services, only a token is sent to the SP (like salesforce) over the internet instead of users' credentials.
One of the main benefits of the separated roles of IdP and SP is that it allows users to sign-in to IdP once and then access multiple SPs (single-sign-on).
What are the most common techniques adversaries use to exploit token-based authentication?
There are two common techniques: stealing the tokens and stealing the token signing secrets. The former is easier but gives access to a single user for a limited time, whereas the latter is harder but gives permanent access to the whole organization.
What are some effective methods to detect token-replay and token forging attacks in real-time?
First, the prerequisite for all detections is adequate logging in both IdP and SP ends. Second, as detection is based on finding discrepancies between IdP and SP logs, access to both logs is required.
What are one or two best practices for securing cryptographic secrets used in token-based authentication?
There is no silver bullet to protect cryptographic secrets -- you just need to follow hardening instructions of each involved system. Generally, Hardware Security Module (HSM) will protect cryptographic keys from stealing, if your IdP supports that.
How do different implementations of token-based authentication, such as Kerberos, SAML and OAuth, vary in terms of security vulnerabilities?
The fundamentals of all implementations are the same: trust is based on tokens that are cryptographically signed (or encrypted) by a trusted party.
What should participants expect from the demo-packed session, and what practical skills will they gain?
First, I will show demos of both token-based authentication attacks. That allows participants to learn how the attacks in practice. Second, I will share best practices on how to protect the environments from attacks.
What resources can you point for attendees to learn more about token-based authentication and prepare for your session?
There are no prerequisites to attend the session (besides general IT knowledge which our participants typically have). Understanding technical details of their own environment eases participants to recognize what is relevant to them.