Reducing Usefulness of Stolen Credentials in SSO Contexts
Sam Hays, Michael Sandborn, Jules White
TL;DR
This work tackles the vulnerability of credential-based breaches in globally accessible SSO environments by introducing TULIP, a per-device enrollment framework. Enrollment yields a signed JWT that enables rendering of the login page, and subsequent login attempts require a valid, non-revoked token tied to an enrolled device, thereby neutralizing stolen credentials in MFA bombing scenarios. Key contributions include a lightweight enrollment endpoint, robust token validation and revocation through a versioning mechanism, an opaque user identifier for secure backend lookups, and explicit per-user device limits to prevent rogue enrollments. The approach aims to raise attacker effort and misconfiguration risk while maintaining user usability, offering a flexible extension path toward hardware-backed trust and policy-driven enrollment controls.
Abstract
Approximately 61% of cyber attacks involve adversaries in possession of valid credentials. Attackers acquire credentials through various means, including phishing, dark web data drops, password reuse, etc. Multi-factor authentication (MFA) helps to thwart attacks that use valid credentials, but attackers still commonly breach systems by tricking users into accepting MFA step up requests through techniques, such as ``MFA Bombing'', where multiple requests are sent to a user until they accept one. Currently, there are several solutions to this problem, each with varying levels of security and increasing invasiveness on user devices. This paper proposes a token-based enrollment architecture that is less invasive to user devices than mobile device management, but still offers strong protection against use of stolen credentials and MFA attacks.