What happens when your identity provider becomes the kill chain

In this Help Net Security video, Colin Constable, CTO at Atsign, explains why your identity provider (IdP) has become the kill chain in cyberattacks. Attackers steal session cookies, tokens, or consent grants you’ve already issued and walk in behind you.

Constable breaks down how passwords, session cookies, and OAuth grants all rely on shared secrets between browser and server. Even with TLS encryption, intermediaries like CDNs, load balancers, and WAFs can see these credentials in plain text. Multi-factor authentication doesn’t solve the problem, since attackers wait for users to authenticate and then lift the cookie afterward through phishing or device compromise.

He reviews proposed fixes such as IP pinning, mutual TLS, token binding, and Google’s TPM-based approach, noting each has limits. Constable argues the industry must rethink the web architecture itself, since distributed shared secrets will always be stolen and replayed.

Download: 2026 SANS Identity Threats & Defenses Survey