Skip to main content
Learning Center
Account TakeoverAdvanced Authentication & Authorization

Advanced Authentication & Authorization

Technical concepts: AAL levels, SSO, federated identity, and modern auth systems

1. The Story: How a Stolen SSO Token Emptied $847K

And what every fraud team missed

Tuesday 09:15 – Fraud analyst Jessica Chen sees an alert: customer David Thompson has wired $50,000 to a crypto exchange from an IP in Eastern Europe. Classic ATO, she thinks.

Initial checklist

  • Customer confirmed the transfer is fraudulent.
  • Password unchanged for 12 months.
  • No failed logins in platform logs.
  • MFA still enabled and working.
  • No SIM‑swap on the phone line.
  • Customer email uncompromised.

The ❌ items break the "stolen‑password" pattern, hinting at something deeper.

On a call, David adds: "I usually login with Google so I don't need the password."

(This is federated SSO: Google acts as the identity provider (IdP), using OAuth to pass a login token.)

Jessica realises this is an OAuth token replay attack. The attacker compromised David's Google account through a phishing email, then used the stolen OAuth tokens to access his banking. By day three the fraud total reaches $847,000 (three wires).

How OAuth tokens get compromised:

  • Email account phishing (most common)
  • Social media account compromise
  • Malware stealing browser tokens
  • Man-in-the-middle attacks on public WiFi

The Attack Timeline

PhaseAttacker stepWhy bank rules missed it
1Phish Google accountNo PayWave login yet
2Steal OAuth token on social loginToken looks valid, no failures
3Replay token via API – 3 wires, $847,000Platform trusts Google, MFA already satisfied

2. Why This Matters: The Authentication Evolution

Traditional fraud investigation assumed stolen passwords. But modern attacks exploit the trust relationships between systems:

  • Social login means compromising any provider (Google, Apple, Facebook, Microsoft) = accessing dozens of connected apps
  • Enterprise SSO means one stolen corporate login = access to all business systems
  • OAuth tokens can be replayed for hours/days without triggering password alerts
  • Session attacks bypass authentication entirely by stealing "logged in" status

Bottom line: Understanding how modern authentication works is now essential for effective fraud investigation.

3. Core Concepts

Before diving into technical terms, let's break down the building blocks of how authentication works today and why attackers are targeting complexity instead of brute force.

3.1 Single Sign‑On (SSO) – The "Master Key"

SSO typeHow it worksTypical attacker moveIn this case?
Social loginSite trusts Google / Apple accountReuse stolen OAuth token✔️
Enterprise SSOOne corporate login unlocks all appsPhish company IdP creds

Analogy: Social login is a VIP wristband you show at each club. Enterprise SSO is a master key that quietly opens every door once you're inside.

3.2 Three Authentication Factors (easy mnemonic)

There are three standard categories of authentication factors used to verify identity. Understanding these helps fraud analysts pinpoint how an attacker got in and what was bypassed.

Something You Know

  • Examples: password, PIN, security question answer

Something You Have

  • Examples: mobile device, OTP code, hardware key, passkey (a device-stored credential that typically requires biometric unlock, combining something you have and something you are)

Something You Are

  • Examples: fingerprint, facial recognition, voice ID

These three are the foundation of all MFA systems. Most secure systems require at least two, one from "know" and one from "have" or "are."

3.3 Authentication Assurance Level (AAL) – "Lock Strength"

LevelDoor lock analogyCommon MFAFraud worry
AAL 1Cheap latchPassword onlyBot stuffing
AAL 2Deadbolt + codeSMS‑OTP, Authenticator appSIM‑swap, push fatigue
AAL 3Vault lockHardware key (FIDO2)Rare, but costly to bypass

3.4 Identity Assurance Level (IAL) – Trusting the Person, Not Just the Password

IAL tells us how confident we are that a person is who they say they are not just whether their login is secure.

IAL 1 — "Trust me"

  • User self‑declares name. Easy for fake IDs.

IAL 2 — "Scan my licence"

  • Upload documents or answer credit questions. Safer, but docs can be forged.

IAL 3 — "Show up in person"

  • Clerk verifies your government ID face‑to‑face. Hardest to fake, least convenient.

3.5 Sessions – Why "Staying Logged In" Matters for Fraud

What fraud analysts need to know: When someone logs into a website, they get a "stay logged in" pass (called a session). This is like a temporary visitor badge - no need to show ID again until it expires.

Think of it like a visitor badge at a company: once you check in, you can walk around until it expires.

Why this matters for fraud:

  • Attackers can steal these "visitor badges" without knowing passwords
  • One stolen session = full account access until it expires
  • Traditional "failed login" alerts won't trigger

Red flags to watch for:

  • Account active from multiple countries simultaneously
  • Sessions lasting much longer than user's normal pattern
  • Rapid activity right after a legitimate login

Key concept: Understanding sessions helps explain why some account compromises don't show typical "failed login" patterns - the attacker never needed to guess passwords.

4. Why OAuth/SSO Systems Create New Attack Surfaces

Understanding these patterns helps fraud analysts recognize why modern authentication creates new vulnerabilities:

OAuth/SSO ComplexityWhy It Creates RiskWhat This Means for Fraud
Viewer → Owner role jump in minutesOAuth tokens carry embedded permissionsSingle compromised token = instant privilege escalation
Low‑priv token accessing high‑priv endpointsToken reuse across different scopesOne stolen token works in multiple systems
Burst of admin invites after SSO loginAttackers establish persistenceSSO compromise = backdoor creation capability
Service tokens triggering user actionsBlurred boundaries between systemsAutomated attacks can masquerade as human activity

Key insight: OAuth and SSO create "permission inheritance" - when one system trusts another, attacks can escalate across system boundaries.

5. Common Attack Patterns

Understanding these attack patterns helps fraud analysts recognize when advanced authentication systems are being exploited:

Attack TypeWhat HappensWhy It Works
OAuth Token ReplayAttacker steals and reuses OAuth tokensTokens often valid for hours, no password required
Session HijackingSteal browser session cookiesSession keeps user "logged in" without re-authentication
Push FatigueSpam user with MFA notificationsUser approves one notification to stop the alerts
SSO CompromiseCompromise the identity provider accountOne breach = access to all connected applications

Key concept: Modern attacks often target the trust relationships between systems rather than individual passwords.

6. Understanding Modern Authentication Attack Patterns

These patterns illustrate why traditional fraud detection struggles with OAuth/SSO attacks:

  • Permission‑grant storms - OAuth systems can grant broad permissions instantly, unlike traditional role-based systems
  • Off‑hours automation - Token-based attacks don't follow human schedules like password-based attacks
  • Velocity anomalies - Tokens enable rapid-fire actions that bypass traditional rate limiting
  • Cross-system access - SSO allows one compromised account to access multiple unrelated systems
  • Session vs. API confusion - Modern attacks blur the line between human and automated access

Why this matters: These patterns reflect the fundamental differences between password-based and token-based authentication systems.

7. Why Understanding Modern Authentication Matters for Fraud Analysts

Conceptual foundation for modern fraud investigation:

  • Recognize system architecture - understanding OAuth/SSO helps you grasp why attacks work differently than traditional credential theft
  • Ask informed questions - "Do you use Login with Google?" reveals federated authentication and changes your investigation approach
  • Understand evidence sources - knowing that OAuth creates logs in multiple systems (IdP, application, API gateway)
  • Collaborate with technical teams - speaking the same language about AAL, IAL, and SSO builds credibility and gets better information

Connection to Account Security 101: Remember the RBAC concepts and privilege escalation from the fundamentals? OAuth and SSO are modern implementations of those same principles, but with cross-system trust relationships that create new attack possibilities.

Key insight: Modern fraud often exploits the complexity and trust relationships of authentication systems rather than weak passwords.

8. Key Terms

For complete definitions of authentication and ATO terminology, see the ATO Glossary.

Core concepts from this module:

  • OAuth tokens - Digital passes that enable SSO access without passwords
  • SSO - Single Sign-On systems that create cross-application trust relationships
  • AAL/IAL - Authentication and Identity Assurance Levels for security classification
  • Token replay - Reusing stolen authentication tokens before expiration
  • Federated authentication - Using external identity providers for login

9. Key Takeaways

  1. One stolen SSO token can beat any local password.
  2. SMS MFA ≠ hardware key – AAL matters.
  3. IdP & API logs often reveal what bank logs hide.
  4. Understanding token architecture helps fraud analysts collaborate effectively with security teams.
  5. Session attacks bypass traditional authentication monitoring.
  6. Modern fraud investigation requires understanding OAuth, SAML, and SSO architecture.

Next: ATO 101 → investigate account takeover attacks using these authentication concepts.

Fast Facts (Real-World Statistics for 2024–2025)

Fast Facts (Real-World Statistics for 2024–2025)

Test Your Knowledge

Ready to test what you've learned? Take the quiz to reinforce your understanding.