IntermediateAuthentication

Treat OAuth token scopes as a security boundary, not a convenience setting

OAuth tokens with broad scopes are high-value targets. When Heroku and Travis CI OAuth tokens were stolen in 2022, they had been granted full repository access to every GitHub user who had installed those integrations — enabling bulk cloning of private code. Restrict OAuth app scopes to the minimum required. Prefer short-lived tokens via OIDC over long-lived OAuth tokens for CI/CD integrations. Conduct quarterly audits of all OAuth apps connected to your GitHub, Google Workspace, or other identity provider and revoke unused apps immediately.

Tags

OAuthtoken scopesGitHub appsOIDCleast privilege

More in Authentication

All guides
beginnerfeatured

Use hardware security keys for privileged and external-facing accounts

FIDO2/WebAuthn hardware security keys are phishing-proof — they cryptographically bind to the domain you registered them on, so a cloned login page cannot capture the credential. SMS-based two-factor codes can be intercepted via SIM-swapping or forwarded by a victim who receives a fraudulent phone call. The Twilio breach demonstrated exactly this: employees entered SMS codes into a phishing page. Hardware keys like YubiKey make that attack impossible. Deploy them first for all administrators, executives, and anyone with access to production systems or financial controls.

See: Twilio SMS PhishingAuthentication
intermediate

Migrate from SMS and TOTP to phishing-resistant MFA

SMS two-factor authentication is vulnerable to SIM-swapping, SS7 interception, and real-time phishing relay. TOTP (authenticator app) codes are better than SMS but can still be captured on a convincing phishing page. Phishing-resistant MFA — FIDO2 hardware keys or passkeys — cannot be forwarded to an attacker's server because the credential is cryptographically bound to the exact domain. When Cloudflare was targeted by the same 0ktapus campaign that successfully breached Twilio, Cloudflare survived because their employees used hardware keys. Prioritise migration for your highest-value accounts first.

See: Twilio SMS PhishingAuthentication
beginner

Enforce a 90-day audit of all service accounts and shared credentials

Dormant accounts and over-privileged service credentials are a persistent attack surface. The Colonial Pipeline VPN credential that enabled the ransomware attack belonged to an account that was no longer actively used but had never been deactivated. Run a quarterly audit of all service accounts, API keys, and shared credentials. Deactivate anything unused for 30 days. Remove permissions that are broader than the account's stated purpose. Document every service account's owner, purpose, and expiry date.

See: Colonial PipelineAuthentication