August 16, 2024 By Paul Wagenseil
Credit: Getty Images
We're familiar with attacks that try to compromise your usernames and passwords. Weak passwords can be cracked. Reused passwords are vulnerable to credential-stuffing and password-spraying attacks. Phishing scams try to steal usernames and passwords outright.
All of these are "pre-authentication" attacks. They try to obtain your credentials so that attackers can then log into a service as you.
But there are also ways to get into your account after you've logged in. Most of these involve stealing or abusing the session tokens that are granted to legitimate users upon a successful login. We call these "post-authentication" attacks.
Post-authentication attacks can bypass multi-factor authentication (MFA) and remain invisible to the legitimate user and the service being accessed. They can defeat even the most modern forms of authentication, including hardware keys and passkeys.
It doesn't matter how strong a form of authentication is, or how many factors are used, if the post-authentication session token can be stolen.
"The battleground has really shifted over the past 12 months," Okta Chief Security Officer David Bradbury said in a recent interview. "It's no longer about pre-authentication/before login attacks. It's about post-authentication attacks."
