Hackers Steal Session Cookies To Bypass Multi-Factor Authentication. Expert Weighs In

Following the news that: 

Hackers Steal Session Cookies to Bypass Multi-factor Authentication

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Michael Tanaka
Michael Tanaka , Chief Commercial Operator
Industry Leader
August 24, 2022 8:13 am

The article covers so much ground that it’s easy to lose sight of the most important facts.

Attacks can bypass a good defence. The old adage of bolting the doors but leaving the windows open springs to mind. For this reason sessions should be managed very carefully and access to data or resources, re-authenticated despite being in a “secure” session.

Unfortunately, the main reason services do not re-authenticate is for fear of aggravating the user. Often the person in charge of the user experience is at loggerheads with the security person. In the end, the customer experience argument often wins out. I’ve heard of apps that maintain a session for 90 days or even longer!

Clearly any technology that lowers the authentication friction and increases the success rate of authentication will help the Customer Experience Manager live in harmony with the Information Security Officer.

Last edited 3 months ago by Michael Tanaka
1
0
Would love your thoughts, please comment.x
()
x