To toot my own companies horn[0] we designed our authentication protocol OpenPubkey[1] to have two signers on tokens:
1. The IDP signer (like microsoft or google)
2. The Cosigner (like bastionzero.com)
...so that even if microsoft's signing key is stolen, the attacker also needs to compromise the cosigner's signing key as well. It's like multisig for authentication tokens.
I don't know if OpenPubkey would have helped in this particular case as the details are still coming out[2], but I think the future of authentication schemes must require that authentication tokens must be signed by multiple signers at different organizations; Authentication systems with single point of compromise signing keys is too fragile. Or put another way authentication via multiple independent roots of trust is just too powerful of a security tool not to use.
[2]: It appears the key stolen was an MSA key, not an Azure AD signing key. The MSA architecture might not fit into the OpenPubkey model (or it might I don't know enough about MSA signing keys work to say). Had it been an Azure AD signing key then OpenPubkey would mitigate the theft of an Azure AD Signing key. https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
1. The IDP signer (like microsoft or google) 2. The Cosigner (like bastionzero.com)
...so that even if microsoft's signing key is stolen, the attacker also needs to compromise the cosigner's signing key as well. It's like multisig for authentication tokens.
I don't know if OpenPubkey would have helped in this particular case as the details are still coming out[2], but I think the future of authentication schemes must require that authentication tokens must be signed by multiple signers at different organizations; Authentication systems with single point of compromise signing keys is too fragile. Or put another way authentication via multiple independent roots of trust is just too powerful of a security tool not to use.
[0]: BastionZero, https://bastionzero.com
[1]: OpenPubkey: Augmenting OpenID Connect with User held Signing Keys, https://eprint.iacr.org/2023/296
[2]: It appears the key stolen was an MSA key, not an Azure AD signing key. The MSA architecture might not fit into the OpenPubkey model (or it might I don't know enough about MSA signing keys work to say). Had it been an Azure AD signing key then OpenPubkey would mitigate the theft of an Azure AD Signing key. https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...