Why Tokens Are Like Gold for Opportunistic Threat Actors

When setting authentication token expiry policies, always lean in to security over employee convenience.

John A. Smith, Founder & Chief Security Officer, Conversant Group

May 13, 2024

4 Min Read
Gold-colored blobs, falling downward
Source: Leigh Prather via Alamy Stock Photo


Authentication tokens aren't actual physical tokens, of course. But when these digital identifiers aren't expired regularly or pinned for use by a specific device only, they may as well be made of gold in the hands of threat actors.

Authentication tokens (or "session tokens" as they are commonly called) are an important part of cybersecurity. They encapsulate login authorization data to enable app validations and secure, authenticated logins to networks, software-as-a-service (SaaS) applications, cloud computing, and identity provider (IdP) systems or single sign-on (SSO) for ubiquitous corporate system access. Which means that anyone with a token has a gold key to corporate systems — without requiring a multifactor authentication (MFA) challenge.

The Risks of Employee Convenience

A token's lifetime is often leveraged to provide a tradeoff between security and employee convenience, enabling users to authenticate once to maintain enduring access to applications for a specified time. However, threat actors are increasingly obtaining these tokens through adversary-in-the-middle (AitM) attacks, where the attacker is positioned either in the middle between the user and legitimate applications to steal credentials or tokens, and pass-the-cookie attacks, which nab session cookies stored on browsers. 

Personal devices also have browser caches but do not have to pass the security rigor of corporate systems. They are more easily compromised by threat actors who can capture tokens directly from poorly secured personal devices. Yet personal devices are often allowed access to corporate SaaS applications, posing threats to corporate systems.

Once a threat actor has a token, they also have whatever rights and authorizations are imbued to the user. If they have captured an IdP token, they can access all corporate applications' SSO capabilities integrated with the IdP — without an MFA challenge. If it is an admin-level credential with associated privileges, they can potentially wage a world of devastation against systems, data, and backups. The longer the token is active, the more they can access, steal, and damage. Further, they can then create new accounts that no longer require the use of the token for ongoing network access.

While expiring session tokens more frequently will not stop these sorts of attacks, it will greatly minimize the risk footprint by shortening the window of opportunity for a token to function. Unfortunately, we often see that tokens are not being expired at regular intervals, and some breach reporting also suggests that default token expirations are being deliberately extended.

Token Attacks in the Spotlight

Last year, several breach cases involving captured authentication tokens appeared in the news. Two cases involved compromised IdP tokens. According to Okta, threat actors were in their systems from Sept. 28 to Oct. 17 due to a compromise of a personal Gmail account. A saved password in the Gmail account was synchronized in the Chrome browser, enabling access to a service account, likely without MFA enforcement. Once in the service account, threat actors were able to capture other customer session tokens from HAR files stored in ServiceNow. The breach ultimately affected all Okta customer support users.

Notably, on Nov. 23, 2023, Cloudflare detected a threat actor targeting its systems using session tokens from the Okta breach. This indicates that these session tokens were not expired a full 30 to 60 days following the Okta breach — not as a routine course of business, and not in reaction to the breach itself.

In September 2023, Microsoft also made news by disclosing that threat actors had obtained a consumer signing key from a Windows crash dump. They then used it to compromise Exchange and Active Directory accounts by exploiting an unknown bug that allowed enterprise systems to accept session tokens signed with the consumer signing key. This led to the theft of 60,000 US State Department emails. It is possible this breach would not have been as impactful if tokens had been more aggressively expired (or pinned).

What Should Companies Be Doing?

The key lesson for organizations is that tokens present risk — but there are ways to minimize these risks and execute a more aggressive token management program:

  • Organizations should expire authentication tokens at least every seven days (at a minimum) in geographies where the enterprise has staff.

  • In regions without office staff, tokens should be expired much more frequently (every 24 hours, or block the location entirely).

  • Do not enable logins to SaaS applications from personal devices. You do not control the security controls of these devices, and it leaves too many tokens out of corporate reach.

  • Block personal email access from corporate devices.

  • Block the saving of credentials within browsers.

  • Block synchronization of saved credentials to Gmail, Google Drive, and OneDrive.

Longer token expiries provide user convenience — but at a high security price. Tokens are actively being targeted by threat actors, so asking users to reauthenticate weekly is a small inconvenience when considering the very high total cost of a breach.

About the Author(s)

John A. Smith

Founder & Chief Security Officer, Conversant Group

John A. Smith is Founder and Chief Security Officer of Conversant Group and its family of IT infrastructure and cybersecurity services businesses. He is the founder of three technology companies and, over a 30-year career, has overseen the secure infrastructure design, build, and/or management for over 400 organizations. He is currently serving as vCIO and trusted advisor to multiple firms.

A passionate expert and advocate for cybersecurity nationally and globally who began his IT career at age 14, John is a sought-after thought leader, with dozens of publications and speaking engagements. In 2022, he led the design and implementation of the International Legal Technology Association’s (ILTA’s) first annual cybersecurity benchmarking survey.

John studied Computer Science at the University of Tennessee at Chattanooga and holds a degree in Organizational Management from Covenant College, Lookout Mountain, Georgia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights