Like the meanest bully at the arcade, threat actors are stealing tokens and taking big prizes.
Web tokens, in the authentication world, act as identifiers. A server sends an authentication badge that is then temporarily stored by the client to keep sessions going without an additional login.
The authentication token—a kind of digital stamp-at-the-club to quickly show the bouncer that you already had your ID checked—has been a target of today’s adversaries looking to get around defenses like multi-factor authentication (MFA).
“Attackers are now shifting into focusing on actually stealing the session tokens and so subverting the whole MFA process and getting directly into legitimate sessions that open up access for them,” Geoff Cairns, principal analyst at Forrester, said. But enterprise-IAM vendors are starting to “clamp down” and increasingly implement proof- of-possession checks that bind a session token to a user’s device.
Today’s cloud giants, including Google and Microsoft, have added device-bound features to help keep sessions honest.
What’s auth, doc? Token theft often begins with a phishing email that leads a target to a counterfeit sign-in screen; a target then unwittingly shares credentials and completes an MFA prompt for the malicious hacker. A type of malware known as an infostealer provides a way for attackers to harvest session tokens, which an attacker can import into a browser.
Verizon’s 2025 Data Breach Investigations Report found that token theft caused 31% of breaches that target Microsoft 365 instances. A midyear report from cyberthreat intel provider KELA claimed more than 2.67 million global machines were infected by infostealer malware in the first half of 2025, resulting in over 204 million compromised credentials.
You Okta know. In November 2023, identity company Okta shared that a threat actor gained access to a customer-support system and its HTTP Archive files, which contained session tokens that could in turn be used for session-hijacking attacks.
Okta, just months earlier, announced support for “Demonstrating Proof-of-Possession.” or DPoP. Proof of possession refers to a security mechanism that ensures a client sending a request to a resource server has a specific, identity-proving cryptographic key. Though storing keys in unexportable, DPoP-able formats is not a one-click fix (the company reviews steps here), Okta customers can cryptographically bind an access token to the specific client requesting it.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Other vendor auther-ings. On July 29, Google announced a beta version of Device Bound Session Credentials. The feature, available in the Chrome browser on Windows, ties a session cookie to an authenticating user’s device. The machine must have a Trusted Platform Module (TPM), standard for most devices running Windows 11 (upgrade now!), to securely store and process cryptographic data.
“Most infostealer software can steal any data on the file system, any data in the memory, but increasingly, more and more Windows PCs have a secure memory,” Andy Wen, senior director of product at Google Workspace Security, told IT Brew. “The token stays on the device, rather than getting sent off.”
Microsoft released Token Protection in its Microsoft Entra Conditional Access feature on August 21. When a user registers a Windows 10 or later device with Microsoft Entra, a token is issued and cryptographically bound to that device, facilitating access to services like Exchange, SharePoint and Teams.
As long as malware continues to use tokens on the device, the primary defense, according to Eric Sachs, corporate VP of Microsoft’s identity and network access division, is still client-side and server-side malware detection. A feature like Entra Conditional Access and the Entra Identity Protection anomalous token feature—which determines when a token is used from an unexpected network location—aims to make it tougher for malware to use a token from another device.
“Neither of those features is meant to prevent malware from infecting a device, nor meant to prevent malware from continuing to use valid tokens on the device. They serve as additional defense in depth against malware,” Sachs wrote to IT Brew in an email.
The broad concept of proof of possession provides assurance that the client presenting the session token also possesses the private key used in the token binding. However, that safeguard requires protection of the private key and cryptographic operations, which creates specific hardware and software dependencies and requirements.
“The underlying systems and hardware to support all this needs to come up to speed, as well, so it won’t be necessarily a quick fix, but I think all these things are necessary steps towards reducing those threats,” Forrester’s Cairns said.