Failure Pattern
Token based authentication authenticates the bearer, not the workload’s identity. Attackers steal tokens and use them legitimately.
What We See in the Field
A compromised VM steals API tokens and uses them from a malicious system. Downstream services accept the requests because token based authentication succeeds.
Underlying Causes
Token theft from memory
Credentials stored in environment variables
No binding to device identity
Long-lived service credentials
Cloud identity drift
Trust-Native Network Resolution
DTL requires TrustKeys for session establishment. Tokens alone cannot create trust. Stolen tokens become useless without verified workload identity.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.