Zero Trust Authentication

SMS and TOTP-based MFA are phishable — attackers relay codes in real-time. We implement phishing-resistant authentication: WebAuthn/FIDO2 hardware keys (YubiKey), platform authenticators (Touch ID, Windows Hello), or passkeys. These methods are bound to the origin domain, making phishing impossible. For organizations transitioning, we implement phishing-resistant MFA for privileged accounts first, then roll out to all users.

Not every login attempt carries the same risk. We implement adaptive authentication that evaluates risk signals: known device vs. new device, familiar location vs. unusual country, normal hours vs. 3 AM, trusted network vs. public WiFi. Low-risk logins proceed with single-factor. Medium-risk triggers MFA. High-risk requires strong MFA and manager notification. Risk scoring is continuous, not just at login time.

Sessions are the weakest link after authentication. We configure short-lived sessions with periodic re-validation: access tokens expire in 15 minutes, refresh tokens in hours not days, and idle sessions timeout after 30 minutes. Critical operations (deployment, data export, privilege change) require re-authentication regardless of session state. Session tokens are bound to the device and IP range that initiated them.

The identity provider is the highest-value target in a zero trust architecture. We harden it: admin access requires hardware MFA, conditional access policies restrict admin logins to managed devices, audit logs are forwarded to an immutable store, and break-glass procedures are documented and tested. Federated identity configurations (SAML, OIDC) are locked down to prevent assertion manipulation and redirect attacks.