NIST warns token security remains a critical weakness in cloud, federal systems

The National Institute of Standards and Technology (NIST) released a new draft report warning that weaknesses in how digital tokens and assertions are protected, validated, and revoked continue to pose a serious risk to federal information systems and cloud-based services.

The report, Protecting Tokens and Assertions from Forgery, Theft, and Misuse, focuses on the cryptographic objects that modern systems use to authenticate users, devices, and software services and to authorize access to applications and data.

These tokens and assertions are widely used across federal agencies and commercial cloud environments to enable delegated access and identity federation, allowing a single authentication event to support access to multiple systems.

However, as federal systems continue to rely more heavily on distributed and cloud-based services, NIST’s report makes clear that tokens and assertions are no longer a background implementation detail. Instead, they represent a critical control point, one that demands careful design, rigorous protection, and continuous oversight to prevent misuse.

According to NIST, failure to properly protect and validate these mechanisms can allow attackers to bypass authentication controls entirely and grant unauthorized access even when multifactor authentication is in place. The report emphasizes that once a valid token is accepted by an application or service, many traditional security controls are no longer effective.

The guidance was developed by NIST’s Information Technology Laboratory with input from the Cybersecurity and Infrastructure Security Agency and the National Security Agency. It is intended to inform implementation of recent updates to NIST Special Publication 800-53, the federal government’s primary cybersecurity control framework, as agencies and cloud service providers respond to a series of high-profile compromises involving token misuse.

 The report draws lessons from recent incidents in which attackers obtained cryptographic signing keys or exploited weaknesses in token validation processes. In several cases, attackers were able to generate or reuse tokens that appeared legitimate to applications and services, enabling access to email systems, internal data repositories, and administrative interfaces.

NIST notes that these incidents were not caused by a single software flaw, but by a combination of weak key protection, overly broad trust relationships, and insufficient validation of token contents.

In cloud environments where identity services are shared across many customers, failures to properly scope signing keys or enforce strict audience restrictions increased the impact of a single compromise.

“These events demonstrate that compromise of token signing keys can undermine the security of entire systems,” the report says, adding that token-based authentication mechanisms are now a primary target for sophisticated attackers.

 A recurring theme throughout the report is the division of responsibility between cloud service providers and the agencies that use their services. While providers operate the underlying infrastructure and identity services that issue tokens, agencies are responsible for configuring those services, determining acceptable token lifetimes, enforcing access policies, and monitoring for misuse.

NIST cautions against assumptions that token security is fully handled by cloud platforms by default. Agencies are expected to understand how tokens are generated, what claims they contain, how they are validated, and under what conditions they are accepted. At the same time, providers are encouraged to design identity services that support strong key isolation, flexible configuration, and clear mechanisms for revocation and recovery.

The report warns that mismatches in expectations between agencies and providers have repeatedly created gaps in token protection, particularly when tokens issued in one context are accepted by systems in another without sufficient verification.

The report pays particular attention to authentication mechanisms that rely on self-contained tokens rather than centrally managed session state. These designs are widely used in distributed and cloud-based systems because they scale efficiently and support cross-domain access.

However, because the token itself carries the information needed to authorize access, it remains valid until it expires unless additional controls are in place.

NIST explains that this characteristic limits the ability to immediately revoke access once a token has been issued. As a result, the report recommends shorter token lifetimes, careful selection of token claims, and additional monitoring to detect misuse during the token’s validity period.

The guidance distinguishes these designs from approaches that rely on centrally maintained session information, which can be terminated more easily, but acknowledges that self-contained tokens are often necessary in modern architectures.

The most detailed technical guidance in the report concerns cryptographic signing keys, which NIST identifies as the most critical element in token security. These keys are used to sign tokens and assertions so that applications and services can verify their authenticity. If a signing key is compromised, an attacker may be able to produce tokens that appear valid to any system that trusts that key.

NIST recommends that signing keys be generated, stored, and used in accordance with federal cryptographic standards, with stronger protections required for moderate- and high-impact systems.

Hardware-based key protection mechanisms are strongly encouraged for these environments to reduce the risk of key extraction.

The report also emphasizes the importance of limiting how broadly a signing key is trusted. Keys used across multiple systems or tenants should have shorter defined usage periods than keys dedicated to a single system. Automated processes for tracking key inventories, enforcing cryptoperiods, and rotating keys are highlighted as essential controls.

Equally important, NIST stresses the need for clear and enforceable procedures for revoking and destroying cryptographic signing keys. When a signing key is retired or suspected of compromise, it must be removed from trust metadata, no longer accepted for token validation, and securely destroyed to prevent further use.

The report emphasizes that agencies and cloud service providers must be able to invalidate affected keys in a coordinated and timely manner to limit the scope and duration of a breach.

Beyond key protection, the report calls for stricter and more consistent validation of tokens and assertions by applications, APIs, and other protected resources. Systems that accept tokens are expected to verify not only the cryptographic signature, but also the issuer, intended audience, issuance time, expiration time, and other required claims before granting access.

NIST notes that failures to enforce these checks uniformly have been a recurring factor in successful token-based compromises. In some cases, applications accepted tokens issued for different services or environments, or failed to enforce expiration times correctly, allowing attackers to reuse stolen credentials.

The guidance also cautions against relying solely on token validity when making access decisions. While the report does not prescribe a specific architectural model, it encourages integrating additional context and policy enforcement mechanisms where appropriate, particularly for systems handling sensitive data.

While the report itself is not a regulation, it is likely to influence how federal agencies implement identity controls and how cloud service offerings are evaluated under programs such as FedRAMP. The guidance aligns with broader federal efforts to strengthen identity assurance and reduce reliance on implicit trust between systems.

NIST positions token protection as a foundational requirement for modern federal systems, and notes that identity mechanisms increasingly serve as the primary gatekeeper for access to data and services. Weaknesses in those mechanisms, NIST argues, can negate investments in other security controls.

The document has been released as an initial public draft about which NIST is soliciting feedback from federal agencies, cloud providers, and security practitioners. Areas of interest include recommended token and key lifetimes, the feasibility of key isolation requirements in large cloud environments, and the maturity of standards referenced in the guidance.

NIST plans to incorporate public comments before finalizing the report later this year. Once finalized, the guidance is expected to shape agency security architectures, procurement requirements, and risk assessments related to identity and access management.

Article Topics

authentication  |  cloud services  |  cybersecurity  |  identity access management (IAM)  |  identity assurance  |  NIST