Machine-in-the-middle

Transport Layer Security (TLS) protocols secure all communications between the user’s device, PingOne services, and third-party applications. This ensures data in transit is encrypted. For more information refer to TLS and cipher suite requirements.

Forward Secrecy (FS) is used within TLS connections, ensuring that even if a session key is compromised, past communications remain secure. FS generates a unique session key for each session, protecting data from retrospective decryption.

Public Key Infrastructure (PKI) is leveraged to authenticate servers using X.509 certificates. This ensures clients are connecting to legitimate PingOne services, preventing attackers from impersonating PingOne systems and intercepting communications. For more information refer to Certificate Management.

OAuth 2.0 and OpenID Connect are used for API access and identity federation. OAuth tokens are transmitted over encrypted channels (TLS), ensuring that credentials and sensitive data remain protected from machine-in-the-middle attacks. For more information refer to OpenID Connect/OAuth 2 APIs and OpenID Connect/OAuth 2.

API interactions are secured with tokens (such as, access tokens, and refresh tokens), that are signed. Even if a token is intercepted and modified by an attacker, it will be rejected due to the use of signing algorithms. For more information refer to Access tokens and ID tokens.

SameSite and Secure attributes for cookies are used to prevent cross-site request forgery (CSRF) attacks, which can be leveraged in machine-in-the-middle scenarios. These attributes ensure that cookies are only sent over secure connections, and in legitimate contexts. For more information refer to Token storage.

CORS policies are implemented to control which external domains can interact with PingOne resources, preventing attackers from exploiting weaknesses in cross-site communication for machine-in-the-middle attacks. For more information refer to Cross-origin resource sharing in API requests.

Content Security Policy (CSP) headers are used to prevent code injection attacks (such as, cross-site scripting or XSS), which can be used to facilitate machine-in-the-middle attacks. CSP restricts the types of content that can be executed in the browser, protecting users from malicious scripts.

Mandate the use of multi-factor authentication (MFA) by all users. Even if an attacker intercepts login credentials during a machine-in-the-middle attack, MFA adds an additional layer of protection, preventing attackers from gaining unauthorized access if they have managed to steal valid credentials. For more information refer to PingOne MFA.

Advise your users to bookmark the official login pages for your applications. Attackers have been known to manipulate search engines to direct users to spoofed versions of login pages to phish user credentials. You can also look into delisting your official login pages from search engines to avoid the this scenario.

Implement adaptive MFA, where PingOne Protect dynamically adjusts the level of security based on risk factors like device fingerprinting, user behavior, or location. If the system detects unusual activity, it can enforce stricter verification requirements. For more information refer to PingOne Protect.

Use Intrusion Detection and Prevention Systems (IDPS) to monitor network traffic to your applications in real time for signs of machine-in-the-middle attacks. This can detect abnormal traffic patterns, such as unexpected re-routing of traffic, and block malicious connections before they cause harm.