Chapter 6 begins a detailed look into dozens of examples of how to hack various multifactor authentication solutions. Specifically, we'll look into hacking the access control token, which is likely one of the oldest and most popular methods. Attacking the access control token usually means the attacker doesn't care about what type of authentication was used, be it a single-factor password or multifactor, biometric, super-MFA device. An access control token hacker only cares about re-creating or stealing the resulting access control token, which in most cases is given to a subject after a successful logon.

Access Token Basics

Access control, in general, is a system or set of defined processes, people, and policies implemented to prevent unauthorized subjects from accessing protected resources. In the real world, it's the keys to your house and car. It's every guarded gate. It's a barbed wire–topped fence. It's every building key card entry system. Digital access control systems attempt to do the same with digital systems needing separate security domains for trusted and secure operations.

As you learned in Chapter 2, “Authentication Basics,” when a subject successfully authenticates, most authentication systems then generate and transmit an access control token (aka access token) to the subject, or more accurately to the processes running on behalf of the subject. The token can come in many forms. It is often in the form of a plaintext “cookie” ...