Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[SEP25] Protect your Tokens! FIDO won't help yo...

Avatar for Azure Zurich User Group Azure Zurich User Group PRO
September 09, 2025
Technology
0
3

[SEP25] Protect your Tokens! FIDO won't help you! by Marco Schmidt

https://www.meetup.com/de-DE/microsoft-azure-zurich-user-group/events/310238065/

Session 2: "Protect your Tokens! FIDO won't help you!" by Marco Schmidt
Tokens are the backbone of modern authentication—but they’re also prime targets for attackers. While FIDO protects against phishing, it won’t stop token theft, session hijacking, or replay attacks. In this session, we’ll explore real-world attack techniques targeting tokens in Microsoft Entra ID. More importantly, we’ll dive into practical defenses: Conditional Access, Token Protection, Continuous Access Evaluation (CAE), and monitoring strategies to keep your environment secure. If you think FIDO is enough, think again—your tokens need more protection!

About Marco
Marco Schmidt works as a Security Engineer at GrabX Solutions. He helps customers to fortify their Azure environments and avoid common Cybersecurity pitfalls. He has a talent to get a comprehensive understanding of a customers Cybersecurity posture in no time.

LinkedIn: https://www.linkedin.com/in/marco-schmidt-securityguy/
Blog: https://thesecurityguy.ch/

Avatar for Azure Zurich User Group

Azure Zurich User Group PRO

September 09, 2025
Tweet

More Decks by Azure Zurich User Group

See All by Azure Zurich User Group
[SEP25] In a Galaxy far far away... there's no more Active Directory by Martin Bonelli
Avatar for Azure Zurich User Group azurezurich
PRO
0
5
ABCS25: Platform Engineering for the Digital Age by Romano Roth
Avatar for Azure Zurich User Group azurezurich
PRO
0
68
ABCS25: Level up Your Cost Observability with the new FinOps standard FOCUS and MS Fabric by Alexandre Parès
Avatar for Azure Zurich User Group azurezurich
PRO
0
99
ABCS25: Stay safe! – Mastering Network Security on Azure by Stefan Rapp
Avatar for Azure Zurich User Group azurezurich
PRO
0
47
ABCS25: Full Steam Ahead: Engineering a Modern Data Platform at Rhaetian Railway by Simon Schwab & Lukas Heusser
Avatar for Azure Zurich User Group azurezurich
PRO
0
40
ABCS25: Enhancing Legal Document Analysis with Reflection Agents, Semantic Kernel, and Azure AI Search by Cédric Mendelin
Avatar for Azure Zurich User Group azurezurich
PRO
0
32
ABCS25: True Tales of Cloud Modernisation: From Legacy to Serverless by Adrian Pritchard
Avatar for Azure Zurich User Group azurezurich
PRO
0
54
ABCS25: Make Microsoft Defender XDR Work for You: Mastering Automatic Attack Disruption by Alain Schneider & Michael Rüefli
Avatar for Azure Zurich User Group azurezurich
PRO
0
44
ABCS25: Building a Cloud Centric Network with Azure Virtual WAN by Jake Walsh
Avatar for Azure Zurich User Group azurezurich
PRO
0
33

Other Decks in Technology

See All in Technology
これでもう迷わない!Jetpack Composeの書き方実践ガイド
Avatar for ZOZO Developers zozotech
PRO
0
240
20250910_障害注入から効率的復旧へ_カオスエンジニアリング_生成AIで考えるAWS障害対応.pdf
Avatar for sh_fk2 sh_fk2
3
190
クラウドセキュリティを支える技術と運用の最前線 / Cutting-edge Technologies and Operations Supporting Cloud Security
Avatar for Yuji Oshima yuj1osm
2
310
「全員プロダクトマネージャー」を実現する、Cursorによる仕様検討の自動運転
Avatar for Michiru Kato applism118
9
3.4k
Obsidian応用活用術
Avatar for 松濤Vimmer onikun94
1
440
Kiroと学ぶコンテキストエンジニアリング
Avatar for Oikon oikon48
6
9.7k
2025年にHCP Vaultを学び直して見えた景色 / Lessons and New Perspectives from Relearning HCP Vault in 2025
Avatar for AEON aeonpeople
0
230
「何となくテストする」を卒業するためにプロダクトが動く仕組みを理解しよう
Avatar for kawabeaver kawabeaver
0
280
Webアプリケーションにオブザーバビリティを実装するRust入門ガイド
Avatar for nwiizo nwiizo
3
680
S3アクセス制御の設計ポイント
Avatar for tommy tommy0124
2
180
Skrub: machine-learning with dataframes
Avatar for Gael Varoquaux gaelvaroquaux
0
120
自作JSエンジンに推しプロポーザルを実装したい!
Avatar for Saji sajikix
1
170

Featured

See All Featured
Visualization
Avatar for Eitan Lees eitanlees
148
16k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
252
21k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.5k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
18
1.1k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.4k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
53
7.8k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
64
7.9k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Docker and Python
Avatar for Tania Allard trallard
45
3.6k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7.1k

Transcript

  1. 1 1 Protect your Tokens! FIDO won’t help you!

  2. 2 2

  3. 3 3 AGENDA 03 How can Tokens be abused? 01

    What can (and can’t) FIDO2 do? 02 How do Tokens in Entra ID work? 04 What can we do to protect Tokens?

  4. 4 4 whoami - Marco Security Engineer @ GrabX Solutions

    Working with customers to protect their cloud environments Bern, Switzerland thesecurityguy.ch

  5. 5 5 What is FIDO2?

  6. 6 6 FIDO2 advantages •Passwordless •Phishing resistance •Ease of use

    •Public-key Authentication based

  7. 7 7 Sign-In Flow User Login Authentication Token Issuance Token

    Usage

  8. 8 8 Tokens – JSON Web Token (JWT) eyJ0eXAiOiJKV1QiLCJub25jZSI6IjFWWVR1RWQ2UHlaYlMyOGdScWVKWDB4dmVQU0JrMVotX0syRnRya1MyZFEiLCJhbGciOiJSUzI1NiIsIng1dCI6IkpZaEFjVFBNWl9MWDZEQmxPV1E3SG4wTmV YRSIsImtpZCI6IkpZaEFjVFBNWl9MWDZEQmxPV1E3SG4wTmVYRSJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy

    53aW5kb3dzLm5ldC9hMmZhOTE1OC02NTY3LTQ5N2MtYTgwNS1mNTNjZmY5OTM3YjMvIiwiaWF0IjoxNzU3MDcyNjcxLCJuYmYiOjE3NTcwNzI2NzEsImV4cCI6MTc1NzA3NzY4MCwiYWNjdCI6M CwiYWNyIjoiMSIsImFjcnMiOlsicDEiLCJ1cm46dXNlcjpyZWdpc3RlcnNlY3VyaXR5aW5mbyJdLCJhaW8iOiJBY1FBTy84WkFBQUF2bS9lelRvK1dKNEUzQ1RhOWQ1SDF5NGg2TlhrQy9BNFJLSGEyWF MyZkZxbUFEMzVodENHUGRVVzdOYTNjTURmK2FEdnBvMURremNYS0IwUHJ4ZzVSaUhveTdkZitrc0lER1k1cmZpWG9YbWJhR25Yd0o0a1BHVmdUdnU5RUtFWkJyeDc0VUs1Z1R3SEdqaUtXMngy OXQwL2Q3NjRXRkxwRDhOK1FUS3JGdWV5Vys0R3RNQkxIV3Z4MFlTMzMrYllRektmV0VSdVBnOVZXNkxWU0Y1a3REc1g2N09DRzk4TGxHZUI4RERCaGQzSG44UGRYc0xzbklvMnVIVWFjNWFqIi wiYW1yIjpbInJzYSIsIm1mYSJdLCJhcHBfZGlzcGxheW5hbWUiOiJHcmFwaCBFeHBsb3JlciIsImFwcGlkIjoiZGU4YmM4YjUtZDlmOS00OGIxLWE4YWQtYjc0OGRhNzI1MDY0IiwiYXBwaWRhY3IiOiIwIiw iY29udHJvbHMiOlsiYXBwX3JlcyJdLCJjb250cm9sc19hdWRzIjpbIjAwMDAwMDAzLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMCIsIjAwMDAwMDAzLTAwMDAtMGZmMS1jZTAwLTAw MDAwMDAwMDAwMCJdLCJkZXZpY2VpZCI6IjcxNDQxMzNmLTcyNjAtNDAzNi1iMTA4LTIwODMxZjgzZTQ0NSIsImZhbWlseV9uYW1lIjoiU2NobWlkdCIsImdpdmVuX25hbWUiOiJNYXJjbyIsImlkdHl wIjoidXNlciIsImlwYWRkciI6IjgzLjc4LjE4OC4xMjAiLCJuYW1lIjoiTWFyY28gU2NobWlkdCIsIm9pZCI6IjhmODlmZjAxLTc2ZTMtNDM5Mi1hMzQ5LWYzNmJhNWMwOTZmNCIsInBsYXRmIjoiNSIsInB1 aWQiOiIxMDAzMjAwMjRDQjNBM0NFIiwicmgiOiIxLkFUQUFXSkg2b21kbGZFbW9CZlU4XzVrM3N3TUFBQUFBQUFBQXdBQUFBQUFBQUFCREFVNHdBQS4iLCJzY3AiOiJDYWxlbmRhcnMuUmVhZ FdyaXRlIENvbnRhY3RzLlJlYWRXcml0ZSBGaWxlcy5SZWFkV3JpdGUuQWxsIEdyb3VwLlJlYWRXcml0ZS5BbGwgTWFpbC5SZWFkV3JpdGUgTm90ZXMuUmVhZFdyaXRlLkFsbCBvcGVuaWQgUGVvc GxlLlJlYWQgcHJvZmlsZSBTaXRlcy5SZWFkV3JpdGUuQWxsIFRhc2tzLlJlYWRXcml0ZSBUZWFtd29ya0FwcFNldHRpbmdzLlJlYWRXcml0ZS5BbGwgVXNlci5SZWFkIFVzZXIuUmVhZEJhc2ljLkFsbCBVc2 VyLlJlYWRXcml0ZSBlbWFpbCIsInNpZCI6IjAwNmYxZDY5LTRjOWQtMTE5YS05OTg4LTdlZTIyYmQ5OGM3NSIsInNpZ25pbl9zdGF0ZSI6WyJkdmNfbW5nZCIsImR2Y19jbXAiLCJrbXNpIl0sInN1YiI6Ilpv eHpfeERVTUlxRzh6bS10Z0ZQWmxUQlFXTHVQVmFjTmw0VmFEc0c4dFUiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiRVUiLCJ0aWQiOiJhMmZhOTE1OC02NTY3LTQ5N2MtYTgwNS1mNTNjZmY5OT M3YjMiLCJ1bmlxdWVfbmFtZSI6Im1hcmNvLnNjaG1pZHRAZ3JhYnguY2giLCJ1cG4iOiJtYXJjby5zY2htaWR0QGdyYWJ4LmNoIiwidXRpIjoib085RVVPT2pkMEc1REFQX3I2SWpBUSIsInZlciI6IjEuMCIsI ndpZHMiOlsiYjc5ZmJmNGQtM2VmOS00Njg5LTgxNDMtNzZiMTk0ZTg1NTA5Il0sInhtc19jYyI6WyJDUDEiXSwieG1zX2Z0ZCI6Im16OWMxSkhZU3RmNVlMQ2FZWmxUS0Q5T29adzhVall6OVoxS3g5 bjE4R1FCYzNkbFpHVnVZeTFrYzIxeiIsInhtc19pZHJlbCI6IjEgOCIsInhtc19zdCI6eyJzdWIiOiIzckMtdUhtcDFYM1dlVXZuRDV3WDVPQ0pvQXVrdU9icHhvV1ZnNW9jZlhBIn0sInhtc190Y2R0IjoxNTM3O DEzNDQ0LCJ4bXNfdGRiciI6IkVVIn0.RTId1Dwczr-4ot6LzX9DzeOrRJJN13lNvOMQsP5roTNEfg9d6Zng7SfwLV5LJTu06Spyd-aYf65UmH6HgtJsC_E0_0xvknCh-WErW- HvO1FMkyNvDI8p0s4jPAo4fi1gNddLriPC-Pt-cm8no6z6xq5aXibgF8s4L0bRAhHt7akeVyNMHup-ZJgllR4Fe7xNDREjVW3Z8pXT30be3gLDut0Xu3OTk2U48s6MSpyNvHc0MfH- Q9EwTiiRmi4EwIkd81haixv9X8c4tAK9dYNXKCjhuK5yURVKYrnOhQZsui-il-aO48QH1Axez37Ok2uF3LDIFBzNox6i7j0zRSryow

  9. 9 9 Token Terminology •Primary Refresh Token (PRT) •Refresh Token

    (RT) •Access Token (AT) •Entra ID Continuous Access Evaluation (CAE) •Entra ID Token Protection

  10. 10 10

  11. 11 11 The Rules 1. Tickets always have to be

    signed by the counter to be valid 2. Each Ticket has a Lifetime 3. To enter a tent, you need a separate ticket 4. No communication between counter and Security

  12. 12 12 OIDC Authentication Flow

  13. 13 13

  14. 14 14 Token Lifetimes Token Type Lifetime Comment Primary Refresh

    Token 14 days Refresh Tokens 90 days There is also a special type called “Familiy Refresh Tokens” which is not documented by MS Access Tokens 1 hour Access Tokens (CAE) 24 hours Access Tokens that are issued to CAE compatible Apps

  15. 15 15 CA Policies PRT https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

  16. 16 16

  17. 17 17 How do attackers get my tokens?

  18. 18 18 AiTM Attack

  19. 19 19 DEMO TIME!

  20. 20 20 AiTM Attack with FIDO2

  21. 21 21

  22. 22 22

  23. 23 23 What can I do?

  24. 24 24 What can I do?

  25. 25 25 Token Theft by Malware

  26. 26 26 Continuous Access Evaluation

  27. 27 27

  28. 28 28 Continuous Access Evaluation

  29. 29 29 Continuous Access Evaluation

  30. 30 30 Continuous Access Evaluation Benefits / Downsides •Benefits •Longer

    living Access Tokens (24h instead of 1h) •(Nearly) instant token revocation •Downsides •Limited compatibility -> Application has to support it

  31. 31 31

  32. 32 32 Continuous Access Evaluation Critical Events •User Account is

    deleted or disabled •Password for a user is changed or reset •Multifactor authentication is enabled for the user •Administrator explicitly revokes all refresh tokens for a user •High user risk is detected by Entra ID Protection

  33. 33 33 Entra ID Token Protection •Cryptographically bind tokens to

    enrolled or registered devices •Token can only be used by device that it was issued for •Prevents Token Theft

  34. 34 34

  35. 35 35 Entra ID Token Protection

  36. 36 36 Entra ID Token Protection Limitations

  37. 37 37 Entra ID Token Protection

  38. 38 38 Conclusion •Some things are being automatically done for

    us •We have to close the gaps that are still open •Use FIDO2 Authentication •Make sure no weak MFA can be used •Create CA Policy to require MFA for security info registration •Check if CAE is used -> if not, try to find out why •Use Entra ID Token Protection where possible

  39. 39 39 thesecurityguy.ch Marco Schmidt Description Link FIDO2 https://fidoalliance.org/passkeys/ Entra

    Token Protection https://learn.microsoft.com/en- us/entra/identity/conditional-access/concept-token- protection Continuous Access Evaluation (CAE) https://learn.microsoft.com/en- us/entra/identity/conditional-access/concept-continuous- access-evaluation FOCI (Familiy Refresh Tokens) Research https://github.com/secureworks/family-of-client-ids- research Area41: Phishing The Resistant: Phishing For Primary Refresh Tokens In Microsoft Entra https://www.youtube.com/watch?v=tNh_sYkmurI DEFCON33: Turning Microsoft's Login Page into our Phishing Infrastructure https://www.youtube.com/watch?v=z6GJqrkL0S0