Wait, 88 Percent?!
3:07 a.m., 12 October 2024 A finance VP swipes away a single Okta (identity platform) security alert and nods off again. On her laptop, commodity infostealer malware has already copied an active session cookie - the tiny data file that proves she’s authenticated - and listed it on a dark-web market for about US $10-15. Within minutes an attacker “replays” the cookie in a headless browser, lands in her Okta dashboard without a password or MFA prompt, and wires US $1.4 million offshore. The only weapon was a stolen credential artifact.
Key terms
Let’s clear some key terminology before we dive in:
- Session cookie: a browser file that vouches for an already-authenticated session; whoever steals it inherits your login - no re-authentication.
- ID or Login token: is like a digitally signed digital ID card that proves who you are to an application.
- SAML (Security Assertion Markup Language): the language your authentication systems speak to each other.
- SAML assertion: a “seal of approval” confirming your identity.
- FIDO2: the latest technology that lets people log in to online services using secure, physical keys (like a USB stick) or biometrics (like face or fingerprint scans built into your device), instead of traditional passwords.
The Bigger Pattern
- 88% of web-application breaches begin with stolen credentials.
- Breaches that start with valid logins cost an average US $4.81 million to contain.
- The median ransomware payout in early-2025 incidents is US $200 000.
- Organizations still take about 204 days to spot the first unauthorized login.
- Credential-based intrusions surged 71% year-over-year, becoming IBM X-Force’s top entry vector.
The Criminal Supply Chain for Credentials
- Phishing-as-a-Service kits rent for US $60 per month, complete with real-time MFA relay pages.
- Infostealer logs - bundles of passwords and session cookies - trade for US $10-25 each.
- Credential-stuffing bots weaponize recycled passwords; 65% of users still reuse them.
- Initial-access brokers auction corporate VPN keys or cloud tokens, often sourced from those same logs, to ransomware crews.
Why it matters: the underground market sells millions of fresh logs every month, giving adversaries a near-endless supply of ready-made keys.
Why a Stolen Cookie Beats Two-Factor
MFA stops password guessing but not token theft. Modern identity providers (IdPs) issue long-lived cookies or JSON Web Tokens (JWTs - login tokens) after initial login. If malware or a malicious browser extension exports that token:
- No new sign-in challenge occurs; the IdP sees a “continuing” session.
- Geographic anomalies are blurred. Attackers route traffic through residential proxies in the victim’s region.
- Security tools stay silent. Firewall, IDS, and even endpoint agents interpret the traffic as routine SaaS usage.
Unless you bind tokens to a specific device, rotate them aggressively, or inspect browser telemetry, the hijack remains invisible.
And the invoice doesn’t stop at the wire transfer…
Hidden Cost Curve
Beyond the headline ransom:
- Regulatory fines under the SEC’s four-day incident-disclosure rule or Europe’s NIS2 directive.
- Contractual penalties when customer data is exposed.
- Personal liability for directors if “willful blindness” to identity risk is proven.
- Market impact: public companies losing an average 2-3% market-cap dip after disclosing credential-based breaches.
Boardroom Reality Check
- How many privileged accounts still allow password-only sign-in?
- Do session tokens expire or re-bind when a role changes?
- Who receives an alert if an attacker enrolls a new MFA device tonight?
- When was your last enterprise-wide purge of stale passwords and session cookies?
Next up: Single Sign-On blind spots - why “we have SSO” rarely equals “we’re secure,” and how to find the gaps attackers love.
Single Sign-On: The 35% Illusion
Single Sign-On (SSO) sounds like a silver bullet: log in once to an Identity Provider (IdP) and glide into every work app. In practice, most companies still juggle dozens of passwords because SSO touches only a fraction of their estate.
Reality check
- A typical organization now runs 112 SaaS apps - up from 80 in 2020.
- Yet just 35% of corporate apps are fully onboarded to SSO, leaving almost two-thirds of doors unguarded.
- Another JumpCloud survey shows only 35% of firms have any app fully covered, 52% have partial coverage and 13% use no SSO at all.
When leaders hear “we rolled out SSO,” they picture one vault door. Attackers see 65 unlocked side entrances.
How attackers route around SSO
1. Shadow & Long-Tail SaaS
Product teams spin up niche tools - AI prompt libraries, regional HR portals, design prototypes - before IT can federate them. These unmanaged apps often hold customer data or API keys.
2. Session-token hijacking
Stolen browser cookies or JSON Web Tokens (JWTs) bypass every login screen, including the IdP. In Slack’s 2022 incident, hijacked employee tokens let intruders clone private code without ever touching a password.
3. IdP token forgery
China-linked group Storm-0558 stole a Microsoft signing key and forged Outlook tokens for US government inboxes - sidestepping both SSO and MFA.
Why coverage stalls
- The “SSO Tax.” Many SaaS vendors gate SSO behind their top-tier plans: HubSpot’s SSO tier costs 7 828% more than basic seats.
- Legacy & custom apps. Older ERPs or home-grown tools lack SAML/OIDC support, forcing parallel password databases.
- Integration debt. Each app insists on its own claims mapping and certificate rotation. Small IT teams drown in one-off configs.
- Complacency metrics. Dashboards show “M365 protected,” masking the vast SaaS sprawl beyond core suites.
Architecture drill-down (why tokens matter)
Key term - Service Provider (SP): the target app that accepts an IdP-issued token (often SAML or OIDC) instead of a local password.
- IdP-initiated flow. User authenticates to the IdP, which issues a time-bound SAML assertion or OIDC ID token.
- SP-initiated flow. The app redirects the user to the IdP and expects a new token on return.
- Blind spot. After first login, a browser stores a session cookie or refresh token. Those cookies or tokens can live for hours - sometimes days. Steal that artifact and you inherit the session without re-authenticating or triggering conditional access.
Unless tokens are device-bound, short-lived, and inspected for anomalies, SSO can be silently bypassed.
Five-minute self-check:
- Export your IdP’s app inventory.
- Mark anything in “password-vault” mode or missing outright.
- Overlay that list onto your top-20 revenue-critical systems.
- Highlight the unfederated apps in red - those are today’s identity blind spots.
Executive takeaway
SSO remains foundational, but the badge on the front door protects only the rooms you bothered to wire. Until coverage climbs past 90% and tokens are hardened - device-bound, short-lived, and monitored - attackers will keep slipping through the 35 percent illusion.
Next, we’ll examine how MFA fatigue turns your second factor into an attacker’s first opportunity.
Push or Panic: When MFA Turns on You
1 a.m., 17 September 2023. An Uber contractor’s phone begins vibrating every few seconds: “Approve sign-in?” Thirty-seven push notifications later the weary target taps Yes - and hands the Lapsus$ gang the keys to Uber’s Slack, AWS, and finance tools. The attacker never cracked a password; they simply weaponized multi-factor authentication (MFA) push prompts.
MFA fatigue (aka push bombing): an attack in which adversaries trigger a rapid stream of MFA approvals, trusting that a distracted or exhausted user will eventually tap Allow.
The scale of the problem
- 382 000 MFA-fatigue attacks recorded by Microsoft in 2022.
- 40 942 attacks in a single month (August 2022) - the highest spike on record.
- 40% year-over-year growth in 2024 for attacks that exploit MFA weaknesses.
- Only 38% of active Microsoft Entra ID accounts use any form of MFA.
- 91% of organizations suffered at least one identity-based attack in 2024.
Identity defences may be improving, but attackers are moving faster - and they are aiming at the human link in the chain.
Why push prompts are easy to subvert
-
Always-on convenience Push-based MFA trains staff to approve without thinking; the same habit makes them vulnerable to spamming.
-
No context, no clue Vanilla push alerts show only “Sign-in request”. Users lack device, location, or app details to spot fraud.
-
After-hours timing Most prompt-bombing bursts arrive between midnight and 5 a.m., when vigilance is lowest.
-
Social engineering follow-up Attackers often call or message the victim posing as IT, urging them to “clear a stuck login.”
Stronger factors and their trade-offs
Push + number matching Requires the user to type a code displayed on their screen into the authenticator. Microsoft enforced this tenant-wide in 2023 to blunt MFA fatigue. Friction: adds a few seconds to each login.
Time-based one-time passwords (TOTP) Codes change every 30 seconds; resistant to spam but phishable if entered into a fake site.
FIDO2 / Passkeys Hardware key or device-bound credential signed locally - immune to push bombing and phishing. Consumer awareness reached 74% in 2025, with 69% enabling passkeys on at least one account. Friction: device availability, rollout planning.
Board-level questions
- What percentage of our MFA prompts today are simple “Approve/Decline” pushes?
- Have we set a rate limit on push attempts (e.g., lock after five failures in 5 minutes)?
- Do we log and alert on out-of-band MFA enrolments?
- Which critical roles still rely on SMS codes or basic pushes instead of passkeys or hardware tokens?
Quick hardening plan
- Turn on number matching for every push-notification MFA method.
- Enable system-preferred MFA so users are guided to the strongest factor they’ve registered.
- Set a push-rate limit (e.g., five prompts per hour) and auto-block the account on excess attempts.
- Require phishing-resistant factors (FIDO2 keys or passkeys) for finance, IT, and executive roles.
- Send a 60-second micro-training video to all staff explaining how to spot and report prompt bombing.
Next: the Executive IAM Scorecard - five metrics to benchmark your identity posture and a Monday-morning checklist that takes the last three minutes.
Executive IAM Scorecard
Why Identity Deserves Board-Grade Metrics
Most risk dashboards still focus on patch counts and phishing clicks. Yet, per Verizon DBIR, 88% of today’s web-app breaches start with a stolen credential. Directors need a way to see, at a glance, whether that identity risk surface is getting smaller or bigger. The Executive IAM Scorecard translates technical controls into five numbers every board understands: coverage, hygiene, speed.
Scorecard rule of thumb: three “green” metrics = acceptable risk; one “red” metric = incident waiting to happen.
The Five Board KPIs
| KPI | What it really asks | Suggested Target | Current Reality | Red Flag |
|---|---|---|---|---|
| SSO Coverage % | How many business-critical apps force users through our Identity Provider (IdP) instead of a local password? | ≥ 80% | Only 35% of apps are onboarded to SSO, leaving the rest in local passwords | < 40% |
| Phishing-Resistant MFA Coverage % | How many workforce identities authenticate with FIDO2 passkeys or smartcards (not just SMS or push)? | ≥ 70% | Overall MFA usage in Microsoft Entra tenants hovers at ~37% today | < 25% |
| Privilege Aging | Median days since the last access-review on admin & service accounts. | ≤ 90 days (quarterly) | Annual reviews are still common, pushing the median toward 365 days | > 180 days |
| Credential Hygiene | Share of employee accounts that are fully password-less (passkeys / FIDO2). | ≥ 40% | 87% of enterprises are rolling out passkeys, but user-level deployment is typically < 15% so far | < 10% |
| Revocation Latency | Average time from HR departure notice to complete de-provisioning (all tokens, API keys, SaaS seats). | < 2 hours | Manual off-boarding still takes ≈ 5 hours per user in many firms | > 24 hours |
Key terms (cont):
- Phishing-resistant MFA - methods (e.g., FIDO2, passkeys, smartcards) immune to link-based credential theft.
- Privilege aging - elapsed time since an entitlement was last re-attested by its owner.
- Revocation latency - end-to-end delay between HR’s separation event and the IdP’s “account disabled” state.
A client I have consulted cut their revocation latency to 45 minutes after integrating their HR system with IdP.
How to Capture Each Metric Quickly
- Pull IdP exports - focus to collect Authentication Methods (MFA etc.) per user and configured SSO app integrations (already completed at 5-minute self-check above).
- Run a quick query to find admin accounts >90 days since last review.
- Calculate revocation latency: get the delta on time account was disabled and time receiving HR notice. Get average number for last 10 departures.
Drop the numbers into a simple traffic-light slide - green, yellow, red. You now have an objective identity risk snapshot for the next board meeting.
3 Key Takeaways
Credential-driven breaches now exceed every other attack path, turning identity into the real perimeter. The numbers are stubborn - 88% of web-app intrusions start with stolen credentials and only a third of business apps sit behind Single Sign-On - but the fixes are concrete and Board-trackable.
-
Every stolen cookie is a skeleton key. Malware-lifted session tokens bypass both passwords and MFA, so visibility must shift from network events to identity artifacts.
-
Implementing SSO doesn’t equal coverage. If 65% of critical apps still rely on local logins, you have more doors open than closed.
-
MFA can be weaponized. Push-bombing proves that human fatigue is easier to hack than cryptography; move fast toward phishing-resistant factors (passkeys, FIDO2).
Commit to one step today, retake the scorecard in 90 days, and watch your new perimeter harden every quarter.
