Rethinking Identity Security: Why Third-Party Suppliers Must Lead with Resilience

Pat Opet, CISO of JP Morgan, recently wrote an open letter urging suppliers to step up their security and resiliency efforts. As enterprises like JP Morgan increasingly rely on Cloud and SaaS providers for critical operations, the traditional moat-and-castle security model is no longer sufficient. Securing the modern hybrid enterprise requires both SaaS and Cloud providers to enhance their security posture while enterprises rethink how they protect their most valuable assets. The starting point? Identity security.

In this blog, we’ll examine two key points from Pat’s letter and how they relate to the challenges facing modern enterprises.

SaaS Token Replay and Reuse Attacks

Pat highlights the risk of “inadequately secured authentication tokens susceptible to theft and reuse.” As enterprises adopt stronger authentication methods like Passwordless, FIDO2 WebAuthN, and phishing-resistant MFA, attackers are shifting their focus to session tokens. These tokens, used to maintain app sessions beyond initial authentication, often remain vulnerable.

Session tokens, stored as bearer tokens in browser cookies or disk storage, are easily accessible to user-mode processes.  This makes them prime targets for info-stealers, which exfiltrate session tokens for resale on dark web marketplaces like Genesis, where they can go for as little as $17. This problem is not limited to interactive access. Even non-interactive machine access using API keys, secrets and OAuth tokens is also vulnerable to theft and reuse.

To mitigate these risks, app providers must secure tokens and detect anomalies. However, this is easier said than done. Short of invalidating sessions every few minutes — which disrupts user experience — most apps lack the visibility to detect session-level changes. Complicating matters, the proliferation of personal VPNs has made it difficult to use IP addresses, ASN, or geolocation as reliable signals for risk detection.

Standards Addressing Token Theft

New standards like the Continuous Access Evaluation Profile (CAEP) in the Shared Signals Framework (SSF) aim to close these gaps by facilitating signal sharing between identity providers and apps. Unfortunately, adoption has been slow, and most signal sharing remains one-way — meaning apps may remain unaware of risk changes detected by the identity provider. [Note: While there are adoption challenges to CAEP/SSF, WideField Security is doing its part by actively participating in the CAEP ecosystem by being a SSF transmitter. Our integration with Okta is available for our mutual customers.]

Device Bound Session Credentials (DBSC), used by Google Workspace, offer another promising approach by binding session tokens to specific devices. However, implementing DBSC requires significant changes to apps and infrastructure. Similarly, Demonstrating Proof of Possession (DPoP) for OAuth tokens uses cryptographic challenges to verify token ownership but has yet to see widespread adoption.

While all these standards offer a vision of token security, broad implementation remains a distant reality.

What Can Enterprises Do in the Meantime?

Session token theft isn’t just an emerging problem — it’s an urgent one. Until these standards are widely adopted, what can enterprises do to protect themselves?

Most enterprises attempt to address session token theft through one or more of the following measures:

• Hardening SaaS and cloud access: Restricting access to managed devices only or even hair-pinning traffic through on-premises security infrastructure. While effective in theory, these measures can severely impact user productivity.
• Tight governance over app access: Enforcing strict application approval processes to limit the scope of permissions granted to third-party apps. However, governance programs often break down due to exceptions and scope creep.
• Log aggregation and analysis: Sending all SaaS and cloud logs to a SIEM and running detection rules. This approach requires heavy investment in data aggregation, correlation and enrichment which most enterprises cannot afford.

Ultimately, these approaches are often band-aids that can be easily ripped off by exceptions, configuration drift, or operational missteps. To truly mitigate session token theft, enterprises need visibility into how tokens are being used post-authentication and the ability to detect deviations in session behavior in real time.

OAuth Permissions Model

Pat also discusses a common enterprise scenario: AI-powered calendar optimization app requesting excessive permissions, such as full mailbox access. In practice, we’ve seen consumer apps like Mail Merge ask for full Google Drive or OneDrive access when they only need a single file or folder.

Why do users approve these requests? Because the OAuth dialog is perceived differently than intended. Instead of evaluating permissions, most users see the "Allow" button as a "Get work done" button and the "Cancel" button as a "Can’t get work done" button.

A New Perspective on Identity Security

At WideField Security, we believe it’s time to rethink identity security. Instead of focusing solely on Gartner categories, we approach identity security like data security — by monitoring Identity at Rest, In Motion, and In Use.

• Identity at Rest: Ensuring account lifecycles, entitlements, and credential policies are configured securely.
• Identity in Motion: Verifying that authentication and MFA policies are enforced correctly, without inadvertent policy escapes.
• Identity in Use: Monitoring post-authentication sessions for anomalies, privilege escalation, and potential threats.

‍

Without this holistic view, identity security becomes a game of whack-a-mole, with each new threat prompting a piecemeal response that does not solve the problem as threat actors bypass measures by finding other holes. In upcoming blogs, we will cover how our approach solves some of identity security’s most pressing problems. 

If you want to see how WideField Security addresses these challenges, request a demo. Or follow our updates by connecting with us on LinkedIn. 

‍