惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Help Net Security
Help Net Security
P
Privacy International News Feed
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
AWS News Blog
AWS News Blog
K
Kaspersky official blog
A
Arctic Wolf
Latest news
Latest news
T
Threat Research - Cisco Blogs
L
LINUX DO - 最新话题
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Google DeepMind News
Google DeepMind News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
月光博客
月光博客
N
News and Events Feed by Topic
Jina AI
Jina AI
博客园 - 司徒正美
WordPress大学
WordPress大学
罗磊的独立博客
雷峰网
雷峰网
AI
AI
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Security @ Cisco Blogs
博客园 - 三生石上(FineUI控件)
H
Heimdal Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cisco Blogs
博客园 - 【当耐特】
The Hacker News
The Hacker News
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Schneier on Security
Schneier on Security
博客园 - Franky
S
SegmentFault 最新的问题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cloudbric
Cloudbric
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Secure Thoughts
Last Week in AI
Last Week in AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Google DeepMind News
Google DeepMind News

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Detect and Prevent Cross Device Authentication
Zach Newton · 2025-04-17 · via Okta Security RSS Feed

So, you recently implemented phishing-resistant authentication policies.

Firstly, congrats! You’ve significantly raised the bar for potential threat actors and have a far better chance of detecting a compromise going forward. This will force threat actors to shift their focus to compromising your end-user devices. So what does this actually look like and what else can you do?

Even with phishing resistant authentication in place, there are several techniques a threat actor could employ that leverage a compromised endpoint to successfully authenticate to Okta-protected resources. The threat model for FIDO authentication, for example, notes that there are limits to how much protection an authenticator offers if the hardware it operates on is compromised.

One such example of this is what we call a ‘Cross Device Authentication (CDA) attack’ - this is when an attacker connects to a protected resource from their machine and forwards the required authentication flow through a machine they have previously compromised to gain unauthorized access.

I won't go into all the details here, as this technique has previously been proposed and documented by other researchers (XPNSec, GitLab).

Combatting CDA Attacks

Prevention

Steve Lind recently published a great blog, ‘Stay secure with FastPass and Trusted App Filters’, which details what Trusted App Filters are and how they can be used to protect against Cross Device Authentication (CDA) attacks, so be sure to check it out.

Detection

In this blog post, I would like to provide some potential detection ideas off the back of Trusted App Filters. When you authenticate with FastPass using the LOOPBACK or APPLE_SSO_EXTENSION binding methods (i.e. the phishing-resistant methods), you will find in the associated user.authentication.auth_via_mfa event, under the ‘AuthenticatorContext’ object, a variety of information about the process that initiated the authentication is logged.

These values are particularly useful from a detection perspective, as they give you visibility into what process the authentication request was initiated from, and can be used to detect unexpected or anomalous processes initiating authentication in your environment. Our Identity Defence Operations team have put together an example query that you can use to identify authentication requests that are not initiated by a browser using System Log.  

Leveraging Adam Chester’s lightweight proxy on our attacker machine and an SSH reverse proxy on the compromised machine, when we authenticate to an Okta protected resource from the attackers machine, the authentication request is forwarded over the reverse proxy to FastPass on the compromised machine. Looking in the ‘AuthenticatorContext’ object we can see that the initiating process is SSH.

Another potential avenue for detecting Cross Device Authentication (CDA) attacks is via anomalies in the session establishment. During the authentication flow a user.session.start event and a user.authentication.auth_via_mfa event are generated. Leveraging the root_session_id, we can tie these events together. Next we can extract the client IPs from each event, looking for when they don't match. In an attack scenario, the IP in the user.session.start event will be the attacker and the IP in the user.authentication.auth_via_mfa event will be the compromised device. We can then layer techniques like impossible travel, conflicting ASNs or changes in User Agents to identify suspicious events. At times, (depending on your environment) these methods can be prone to false positives, so combining this with an anomalous calling process can help filter out the noise and turn this into a robust detection opportunity. 

To find out more, I highly recommend checking out Steve Lind’s recent blog, which covers Trusted Application Filters more in-depth. If you can’t get enough after that, check out our Oktane on Demand 2024 session, where Steve and I include a demo on how Trusted App Filters can thwart Cross Device Authentication (CDA) attacks.

Zach Newton is the Senior Manager of the Global Adversarial Engineering and Operations team at Okta, who are focused on adversary simulation and offensive-driven detection research. Prior to joining Okta, Zach worked in a variety of offensive and defensive roles across financial services, telecommunications and retail.