Contact Us

When Identity Theft is the Target: Practical Defenses for SSO, Passkeys and Session Theft in 2025

Shemul
September 2, 2025

Identity is the easiest path in. Over the past months, researchers and incident responders have shown how attackers bypass or piggyback modern authentication, and it’s not just passwords, but device-bound credentials and single sign-on sessions as well. Here are some real-world examples:

  • Passkey/WebAuthn abuse: Researchers demonstrated a browser-side manipulation that let an attacker impersonate a user and bypass passkey protections by abusing the WebAuthn flow itself. This was presented around DEF CON 33 and covered by industry press.1
  • SSO session theft on macOS (Entra ID): New research details Primary Refresh Token (PRT) cookie theft and device forgery paths that enable persistent access in Entra ID on macOS, expanding prior Windows-focused concerns.2
  • OAuth device-code phishing: Campaigns have abused the device code flow to log in “legitimately,” register attacker-controlled devices, and obtain refresh tokens. No password theft was required. Microsoft and researchers flagged this early in 2025, with concrete mitigations.3

Below are practical, implement-now defenses mapped to these failure models.

1 . Harden passkeys and WebAuthn in the real world

      Problem: Browser and extension layers can be manipulated to subvert otherwise strong WebAuthn flows. 

      What to do:

      • Treat the browser as part of your trust boundary. Enforce managed browsers and managed extension policies; disable unapproved extensions and remote debugging in enterprise contexts (Intune/MDM or equivalent).
      • Use phishing-resistant factors everywhere possible. Passkeys remain valuable but bind them to device posture and conditional access (managed/compliant device, compliant OS build, healthy security stack). 
      • Require step-up for sensitive actions. For admin functions, payments, key-vault access, or role elevation, require a fresh WebAuthn assertion and re-verify device posture.

      2. Close Single Sign-on (SSO) persistence gaps

      Problem: PRT (primary refresh token) cookie theft and device forgery can provide long-lived access to Entra ID, even without password theft. 

      What to do:

      • Shorten refresh token and SSO lifetimes for high-risk roles.
      • Constrain device trust: Require device compliance for SSO access, monitor device registration events and block registrations from untrusted brokers/locations. 
      • Detect the telltales: Alert on unusual PRT refresh patterns, sudden device re-registrations, or token use from unfamiliar device IDs.

      3. Neutralize device-code flow abuse

      Problem: Attackers exploited the OAuth device code flow to obtain refresh tokens and register rogue devices. 

      What to do:

      • Block or gate device code flow unless strictly required. If business-critical, enforce conditional access for compliant/managed devices only; most device-code phishing fails under this policy. 
      • Harden user experience: Educate users that device-code prompts should come only from known apps and managed devices; unexpected codes are a red flag.

      Log and alert: Monitor for spikes in device-code authorizations, unusual client IDs, and rapid sequences of device registration after consent.

      4. Kill cookie-theft and session replay

      Problem: Stolen cookies bypass MFA, hand attackers a live session, and dodge password policies. 

      What to do:

      • Bind sessions to context: Enforce token/session binding to device and network context where available; revoke sessions when posture or location changes sharply.
      • Set conservative session lifetimes for high-risk applications and rotate keys frequently.
      • Secure the browser environment: Managed profiles, least-privilege extensions, and endpoint detection and response (EDR) that inspects for cookie-grabbing behaviors and untrusted exfiltration.
      • Make re-auth the norm for admin power: Any privilege escalation or role assumption should require a re-auth using a phishing-resistant factor.

      5. Prioritize by active exploitation and business impact

      Problem: Teams drown in auth-related findings and fatigue sets in.

      What to do:

      • Patch and mitigate what is being exploited now. Track CISA KEV and move those items to the top of the queue; note CISA’s 24-hour CitrixBleed-2 directive as the new urgency standard.4
      • Use EPSS-style likelihood signals and role/asset criticality to rank identity control gaps (e.g., admin SSO sessions > standard user sessions).
      • Measure what matters: Report MTTR for identity fixes, number of risky sign-ins blocked, and repeat offender misconfigurations.

      6. Bake identity into testing and detection

      Problem: Many programs still test apps and infra, but not the identity plumbing.

                  What to do:

      • Include identity in penetration tests: Simulate session hijack, passkey-flow manipulation, and device-code abuse. Validate Conditional Access rules and registration governance hold up under pressure.
      • Turn findings into detections: For every successful test, add a SIEM (security information and event management) rule or identity provider (IdP) alert (e.g., sudden device registrations, abnormal WebAuthn origins, impossible-travel for PRT use).
      • Re-test after every fix and after major auth changes (new IdP configs, passkey rollout, broker updates).

      Final thought

      “Passwordless” and “SSO” are not silver bullets. Identity security in 2025 means treating browsers, tokens, device posture, and auth flows as a single system. They should be tested together, monitored together, and prioritized by real-world exploitation.

      1https://www.prnewswire.com/news-releases/squarex-researchers-reaffirms-their-browser-security-thought-leadership-with-multiple-vulnerability-disclosures-in-key-black-hat-and-def-con-33-talks-302520615.html?utm_

      2https://media.defcon.org/DEF%20CON%2033/DEF%20CON%2033%20presentations/Shang-De%20Jiang%20Dong-Yi%20Ye%20Tung-Lin%20Lee%20-%20Original%20Sin%20of%20SSO%20macOS%20PRT%20Cookie%20Theft%20%26%20Entra%20ID%20Persistence%20via%20Device%20Forgery.pdf?utm_

      3 https://learn.microsoft.com/en-us/answers/questions/2169422/validity-of-article-on-microsoft-device-code-authe?utm_

      4 https://www.scworld.com/news/federal-agencies-have-24-hours-to-patch-citrix-bleed-2-bug?utm_

      Comprehensive cybersecurity and compliance services to protect your digital assets.
      Email
      info@inspiresecuritysolutions.com
      Phone
      (480) 338.1643
      Address
      3101 N. Central Ave Ste 183 #2958,
       Phoenix, Arizona 85012
      Designed by shemuls.com
      crossmenu