IAM anti-patterns — 35 ways to break your identity stack.

Problem

Returning an access token directly in the URL fragment via response_type=token or id_token token.

Cost

Tokens leak via browser history, referer headers, analytics scripts, and bookmarks. OAuth 2.1 removed this for a reason.

Fix

Authorization Code + PKCE. Every modern SPA framework + IdP supports it.

Problem

Client collects the user's username + password directly and exchanges them at /token with grant_type=password.

Cost

Defeats the entire point of OAuth — the third-party app now has the password. Bypasses MFA. Removed in OAuth 2.1.

Fix

Authorization Code + PKCE. ROPC was always a migration-only crutch.

Problem

Tap-to-approve push notifications without showing a number the user must verify in the originating app.

Cost

MFA fatigue: attackers spam push prompts until a tired user taps approve. The pattern that compromised Uber, Cisco, MGM.

Fix

Number-matching is now a feature in every major MFA platform (Microsoft Authenticator, Okta Verify, Duo Push). Turn it on for privileged users at minimum.

Problem

SMS as the second factor for accounts with privileged access.

Cost

SIM swap attacks. NIST 800-63B has discouraged SMS OTP since 2017; modern guidance explicitly requires phishing-resistant factors for privileged users.

Fix

FIDO2 / passkeys / hardware security keys for any privileged user. SMS is acceptable for low-risk consumer accounts only.

Problem

Multiple users enrolled against one TOTP secret / one hardware token / one phone.

Cost

Defeats non-repudiation. Lifecycle break: when one user leaves, all the others lose access too.

Fix

One human, one set of enrolled credentials. Service accounts get their own credential strategy.

Problem

Enforcing 16-character minimums and complexity rules but not checking against breach corpora.

Cost

Users pick strong-looking passwords that were leaked in a prior breach — credential stuffing still works.

Fix

Screen against HIBP Pwned Passwords (or equivalent) at password-set time. Modern IdPs offer this as a toggle.

Problem

One role per (job × department × team × project) combination. 8K-30K roles in the IGA system.

Cost

Nobody can certify the entitlements. Reviewers rubber-stamp. The role model is more noise than signal.

Fix

Re-mine roles starting from broad business functions. Use risk-tiered certifications instead of trying to make role-mining perfect.

Problem

Stuffing all permissions into the access token at issue time, then checking them at API call time.

Cost

Token bloat (some tokens hit 10KB+). Stale permissions because tokens are long-lived. Tokens become a credential-exposure surface.

Fix

Token carries identity + minimal scopes. Authorization queries a policy engine (OPA, Cerbos, OpenFGA) at call time.

Problem

`s3:*` or `arn:aws:s3:::*` style wildcards in IAM policy.

Cost

Audit findings. Privilege escalation paths nobody intended. The cost of wildcard policies is paid only after a breach.

Fix

IAM Access Analyzer + least-privilege policy generation from CloudTrail usage. Reduce iteratively.

Problem

`if (user.role === "admin") { ... }` scattered through application code.

Cost

No central audit trail. Policy changes require app deploys. Cross-app inconsistency is guaranteed.

Fix

External policy decision point. Apps query "can subject X do action Y on resource Z?" and trust the answer.

Problem

Access tokens with `exp` set 24h or longer.

Cost

A stolen token has a 24h+ blast radius. Refresh-token rotation can't help once the access token is loose.

Fix

Access tokens 5-60 minutes. Use refresh tokens for re-issuance. Pair with sender-constrained tokens (DPoP / mTLS) where feasible.

Problem

Refresh tokens that remain valid until expiration even if reused.

Cost

Refresh-token compromise persists. No signal for the IdP that something is wrong.

Fix

OAuth 2.1 refresh-token rotation: every /token call returns a new refresh token, invalidates the old. Reuse of the old = forced session invalidation.

Problem

Cookies missing one or more of `Secure`, `HttpOnly`, `SameSite=Strict`/`Lax`.

Cost

XSS leaks the session. CSRF works. Network attackers see the cookie.

Fix

All three flags. SameSite=Lax is the default; use Strict for high-stakes services.

Problem

JWT tokens in `localStorage` for SPA-side fetch authorization.

Cost

XSS exfiltration is trivial. Any third-party script you load can read every token.

Fix

HttpOnly cookie or sessionStorage with tight CSP. Backend-for-frontend pattern hides tokens from the browser entirely.

Problem

Access tokens that any party holding them can use against any client.

Cost

Token theft is full account takeover until the token expires.

Fix

DPoP (RFC 9449) or mTLS-bound tokens for high-value APIs. The token becomes useless without the original client's key.

Problem

Always-on accounts with Domain Admin / Global Admin / root access.

Cost

A compromised endpoint = a compromised domain. The most-cited finding in red-team reports.

Fix

Zero standing privilege. JIT elevation via PAM platform with session monitoring + time-bounded grants.

Problem

One `admin` / `root` / `Administrator` credential used by multiple humans.

Cost

No non-repudiation. Lifecycle break when anyone leaves. Audit-finding magnet.

Fix

Individual privileged accounts vaulted via PAM with personal session attribution.

Problem

API keys, DB passwords, AWS access keys committed to source control.

Cost

Forever-leaked. Even after a rotation, the old credential is in the repo history forever.

Fix

Secrets manager (Vault, AWS Secrets Manager, Doppler). Pre-commit hooks (gitleaks, trufflehog). For accidents, BFG Repo-Cleaner + immediate rotation.

Problem

Service / non-human accounts created over years with no documented owner.

Cost

Cannot be deprovisioned safely (nobody knows what they call). Accumulate excessive permissions. Most-common vector for lateral movement.

Fix

Every service account has a human or team owner in CMDB. Discovery sweep; orphan accounts get a 30-day "claim or we disable" window.

Problem

Privileged sessions on production systems are not recorded or audited.

Cost

Incident-response triage is "we don't know what they did." HIPAA / FedRAMP audit findings.

Fix

PAM session broker with session recording on all production privileged access. Replay-search the recordings on incident.

Problem

Access certifications run once a year for everyone, regardless of risk tier.

Cost

Findings accumulate for 11 months. Reviewer fatigue when 600 entitlements per reviewer all show up at once.

Fix

Risk-tiered cadence: high-risk apps quarterly, mid-risk semi-annually, low-risk annually. Event-driven recerts on role change.

Problem

Reviewers approve 95-99% of entitlements without context — they see a list of usernames and check approve-all.

Cost

The certification is theater. The audit finding catches it eventually.

Fix

Reviewer kits with last-login, entitlement diff, peer comparison. Risk-rank entitlements so high-risk ones surface first. Outlier highlighting (this user has access nobody else in their role has).

Problem

New-hire access via ServiceNow ticket. Role change by emailing IT. Termination via a Friday-afternoon email.

Cost

Average days-to-provision: 5-15. Average days-to-deprovision: longer. JML is the single biggest audit-finding source.

Fix

HRIS-driven automation. Workday / SuccessFactors fires events; IGA provisions in minutes. Termination triggers same-day deprovisioning.

Problem

SoD is a written policy but not enforced at request time.

Cost

A user can hold incompatible roles for months before an audit catches it. Material in regulated environments.

Fix

SoD rules in the IGA + access-request flow. Conflict surfaces at request time; resolution requires explicit risk acceptance.

Problem

Terminated employees retain accounts in 30-50% of integrated apps because deprovisioning isn't connected.

Cost

Every orphaned account is a re-entry point. Common findings: ex-employees still in Salesforce, Slack, Atlassian months after termination.

Fix

Cross-system reconciliation. The IGA periodically reconciles HRIS active set against every connected app and flags orphans.

Problem

Consumer surface protected by password only.

Cost

Credential-stuffing has a ~0.5-2% success rate on any reused-password population. ATO becomes inevitable at scale.

Fix

Risk-based MFA — challenge on new device / new geo / high-value action. Passkey enrollment for engaged users.

Problem

"Forgot password? Enter your email" recovery flow on an account that's otherwise protected by a phishing-resistant passkey.

Cost

Recovery is now the weakest link. Attacker takes over the email; takes over the account. The passkey didn't help.

Fix

Pair passkey + backup codes + alternate device. If forced to use email recovery, require additional friction (manual review, device-trust check).

Problem

Different error messages when an email exists vs doesn't — attacker can map the customer list.

Cost

Privacy violation + targeted phishing fuel.

Fix

Unified messaging on all account-existence-revealing flows. "If this email is registered, you'll receive an email."

Problem

Endpoint will accept unlimited login attempts.

Cost

Trivial credential stuffing. Even bcrypt-hashed passwords can't save you if attackers send millions of attempts.

Fix

Per-IP + per-account rate limits. Bot mitigation (Akamai, Cloudflare). CAPTCHA escalation on abuse signals.

Problem

SP allows multiple ACS URLs by wildcard (e.g. *.example.com).

Cost

A compromised subdomain becomes a SAML assertion exfiltration point. Compounds with sub-domain takeover risk.

Fix

Exact-match ACS URLs. No wildcards in SP metadata.

Problem

Client doesn't send + verify the `state` parameter on /authorize.

Cost

CSRF on the OAuth callback. The attacker can plant a code that gets exchanged into the victim's session.

Fix

High-entropy `state` per /authorize call. Bind it to the user's session (typically signed cookie). Reject callbacks without matching state.

Problem

RP decodes the ID Token JWT and uses the claims without verifying the signature against the IdP's JWKS.

Cost

Anyone can forge an ID Token. The whole OIDC trust model collapses.

Fix

Verify signature against the IdP's JWKS for every ID Token. Library defaults usually do this; verify yours does.

Problem

OAuth client registrations accumulated over years, each with broad consent + tenant-wide scopes.

Cost

Midnight Blizzard / Microsoft 2024: a legacy non-production OAuth app with elevated scopes was the breach vector.

Fix

Audit the OAuth grant graph quarterly. Revoke unused. Migrate broad scopes to least-privilege.

Problem

Engineers take screenshots of admin panels two weeks before the audit.

Cost

Audit is theater. Evidence reflects the moment of capture, not the steady state. Hidden audit-prep cost is enormous.

Fix

Evidence-as-code. Continuously emit structured evidence to a long-term store from the IdP / PAM / IGA control plane.

Problem

When the IdP has an outage or a credential is compromised, the response is improvised.

Cost

Incident MTTR is the time to figure out who has access to which dashboards + tools. The cost is highest exactly when it matters.

Fix

Documented runbook for each scenario: IdP outage, credential compromise, OAuth app compromise, vault compromise. Tested quarterly.