Failure Pattern
Identity providers (IdPs) authenticate users and services but do not verify the workload presenting the credentials.
What We See in the Field
A compromised system uses valid credentials to access internal systems. IdPs trust the token. The system continues acting as a legitimate actor.
Underlying Causes
Bearer tokens
No hardware binding
Long session lifetimes
Stolen service accounts
Overprivileged identities
Trust-Native Network Resolution
DTL requires verifiable trust at session creation. IdP tokens must be paired with a valid TrustKey. Attackers cannot impersonate workloads.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.