DEV Community

oliverbeenthere
oliverbeenthere

Posted on • Originally published at Medium

The Afterlife of Authentication - Following What Lives On

For years, authentication felt like the finish line.

A user entered a password, approved MFA, received access and the story was supposed to be over.

Identity had been verified.

Trust had been established.

Everyone moved on.

But modern identity attacks tell a different story.

And authentication is no longer at the end of it.

It’s simply where a different one begins.

Once trust is established, attackers stop caring about the password.

_They care about what survives after authentication succeeds.
_

Nothing Truly Dies

Authentication answers one simple question:

“Who are you?”

Once that question is answered, the system tries not to ask it again.

After all, constantly asking users to prove their identity would make modern cloud services almost unusable.

That’s where OAuth and OpenID Connect (OIDC) come in.

Instead of authenticating every request, they allow applications to reuse trust that has already been established.

So Microsoft Entra ID verifies the user once, then issues the artifacts that allow trust to continue long after authentication ends.

Access Tokens.

Refresh Tokens.

Session Cookies.

Trust relationships.

The password was only the entrance ticket.

The real value is everything that keeps working after the login window closes.

Authentication lasts only a moment.

Trust is expected to outlive it.

_And that’s where the afterlife begins.
_

The Death of the Password

If trust became the valuable asset, it was only a matter of time before attackers started targeting it instead.

For a long time, stealing passwords was enough.

Then organizations introduced Multi-Factor Authentication (MFA).

Conditional Access became common.

Passwordless authentication followed shortly after.

Breaking into the front door became increasingly difficult.

So attackers stopped trying.

Instead of stealing credentials, they began stealing what credentials create.

This is the shift from credential theft to trust theft.

Rather than defeating MFA, they simply let the legitimate user complete it for them.

The password is no longer the prize.

The authenticated session is.

Life After Login

Modern cloud environments don’t run on passwords.

They run on trust.

Every request now carries something far more valuable than a password.

A token.

Microsoft Graph accepts it.

Cloud applications accept it.

APIs accept it.

As long as the token remains valid, the system continues acting as if the user is present.

Authentication slowly becomes history.

Trust keeps doing the work.

_As Murphy’s Law reminds us: Anything that can go wrong, will go wrong.
_

The longer trust remains alive, the more opportunities attackers have to abuse it.

The Ghost Between The Two Worlds

Adversary-in-the-Middle (AiTM) attacks exploit exactly that trust.

Instead of presenting a fake login page, the attacker places a reverse proxy between the victim and Microsoft Entra ID.

The victim signs in successfully.

Microsoft verifies the sign-in successfully.

MFA succeeds exactly as expected.

Nothing appears compromised.

But while authentication is taking place, the attacker quietly captures the session artifacts it leaves behind.

Authentication succeeds exactly as designed.

_The only question is who gets to keep what survives.
_

Living Someone Else’s Afterlife

Device Code phishing pushes the same idea even further.

There is no fake Microsoft website.

No fake login page.

The victim authenticates directly against Microsoft’s legitimate device login portal.

Everything looks correct.

Because it is.

The attacker generated the Device Code first.

The victim simply completes the authentication process on the attacker’s behalf.

Authentication succeeds exactly as designed.

But someone else walks away with everything authentication left behind.

_Its afterlife included.
_

The Identities That Were Never Alive

Then comes the realization that changes the way we think about identity entirely.

Not every identity has a password.

Not every identity performs MFA.

Some identities never authenticate the way people do.

Service Principals.

Managed Identities.

Workload Identities.

They exist to allow applications and services to communicate with each other without human interaction.

Many of them hold powerful Microsoft Graph permissions and access to critical cloud resources.

Compromising one of them can be far more valuable than compromising a user.

Some identities never enter the afterlife.

_They are born into it.
_

When Trust Outlives Authentication

Many organizations respond to an identity compromise by resetting the user’s password.

Sometimes that’s enough.

Sometimes it isn’t.

Refresh Tokens may continue issuing new Access Tokens.

Existing sessions may continue working.

Applications may continue trusting an identity long after the original password has changed.

The attacker isn’t resurrecting the password.

They’re reusing the trust authentication already created.

This is exactly why modern identity security is shifting its focus.

Not toward protecting passwords.

But toward deciding when trust should finally expire.

Protecting What Lives On

Modern identity defences no longer focus only on making authentication stronger.

They focus on controlling everything that happens after authentication succeeds.

Some technologies, like Passkeys and FIDO2, strengthen the authentication process itself.

Others, such as Conditional Access, Token Protection, Continuous Access Evaluation (CAE) and Identity Threat Detection, continuously evaluate whether that trust should still exist.

The goal is no longer simply protecting the login.

It’s protecting the entire chain of trust that follows it.

Because in modern identity systems, authentication is only the beginning.

Trust Is the New Attack Surface

We often say that identity is the new perimeter.

After spending time studying modern Entra ID attacks, I’d take that one step further.

Trust has become the new attack surface.

Attackers rarely spend their time defeating authentication anymore.

They simply abuse what authentication leaves behind.

Perhaps we were looking at the wrong finish line all along.

Authentication was simply the moment a second life began.

And in today’s cloud-first world, the most important security question is no longer:

“Did the user authenticate successfully?”

It’s:

“What is still trusted after they did?”

Because authentication eventually dies.

But trust lives on.

And attackers are always looking for what still has a pulse.

Top comments (0)