The 2023 incident at a major identity provider was a tidy demonstration of how concentrated authentication has become. A single set of valid customer support credentials, lifted from a personal device, got attackers into a customer support tool. From that tool, they had access to support tickets that included session tokens, HAR files, and screenshots from administrators of dozens of large enterprises.
None of the customers had been breached, exactly. The identity provider hadn’t lost its master signing keys. What had happened was that a tier of access most customers had never thought about (“when our support team helps you debug, what do they end up able to see?”) turned out to be more privileged than the marketing pages suggested.
The list of downstream incidents grew steadily for months afterward. Some customers had session-token stealing attacks within days. Others spent the next two quarters discovering that random administrative actions in their environment had been performed by people they couldn’t identify.
The common thread wasn’t the identity provider’s carelessness. It was the level of concentrated trust that a centralized identity provider necessarily holds. When you authenticate everything through one vendor, that vendor’s support engineers, their support tools, their support tools’ underlying SaaS dependencies, and their support tools’ underlying SaaS dependencies’ contractors are all in your trust boundary. You probably never met any of them.
Your identity plane should be inside your perimeter.
Eclipse environments handle authentication for the components Halo deploys. We don’t outsource your identity to a continental-scale provider whose own support tooling is several SaaS layers deep. When somebody else has a bad day, your sessions, your tokens, and your administrative actions don’t end up in a stranger’s screenshot.
SecurityWeek and CyberScoop both reported extensively on the identity-provider customer-support breach and its downstream effects. https://cyberscoop.com/