Episode #290 - Authentication Fatigue, Browser AI Agents

This week on the 290th episode of Absolute AppSec, Ken (@cktricky) returns after a brief hiatus to summarize some AppSec news with Seth (@sethlaw). Today, they discussed authentication fatigue from both consumer's and developer's perspectives. The abundance of choice when implementing security controls can lead to unintended consequences and introduce risks that may or may not be considered. Following this discussion, Seth and Ken talk through research from SquareX, which claims that Browser AI Agents are riskier and easier to target than employees. Seth and Ken share their opinions on phishing and protections against consumer/business targeting by attackers. To find this episode, go to https://www.youtube.com/@AbsoluteAppSec, or stream us wherever you get your podcasts.

Our hosts start by pulling up an article in VentureBeat guest-authored by Twilio’s own Anurag Dodeja, titled ‘Identity theft hits 1.1M reports — and authentication fatigue is only getting worse’. This problem resonates with many, from businesses to developers, but is especially relevant to those involved in dynamic testing. The article specifically cites authentication fatigue as a contributing factor to the current identity theft crisis. There is a myriad of authentication options available today, from traditional username/password to 2FA, MFA, passkeys, user presence, and WebAuthn, which have significantly increased compared to when Seth and Ken started in the industry. This proliferation of options, though, combined with less secure methods like texts for sending codes, contributes to user confusion and makes them susceptible to account takeover. The article introduces the concept of a “signal-driven future” with continuous signals for authentication. Some elements of this already exist, such as flagging rapid IP changes or anomalous requests to stop nefarious activity. However, this is primarily for stopping suspicious behavior rather than continuously authenticating a user, and has yet to be widely implemented. Complexity, especially around authentication and authorization, makes systems harder to secure. The industry has recurring conversations about eliminating passwords or 2FA/MFA, but the reality of many standards and implementation methods means that complexity is inevitable. The only way to move forward is to create and set a shining example of a new standard.

Next, they look at a SquareX article titled ‘Browser AI Agents: The New Weakest Link’ that Can Feed Your Credentials and Data to Attackers.’ Browser AI agents can act on behalf of users, often with user context, credentials, and information, which can be abused. This is not surprising to our hosts, as it’s a natural progression from prompt injection. If an AI agent is instructed to give its credentials to a malicious website, it will likely do so due to a lack of built-in guardrails. The issue, Seth says, lies with custom AI agents and updates that place too much trust in these tools. He warns that AI agent configurations will inevitably be exposed, leading to credential leaks. Absolute AppSec stresses the importance of having detection mechanisms and incident-response processes in place for these new threats.

Ken disagrees with the article’s premise that humans are trained on web security risks while AI agents are not. He believes phishing training for humans has largely fallen out of favor as a primary defense. Instead, he argues that browsers have implemented significant protections against credential theft and session hijacking. However, this isn’t true for code that scrapes the web, which essentially performs “authorized SSRF” (Server-Side Request Forgery) by making HTTP requests on a user’s behalf with their credentials. This introduces new considerations around how responses are parsed and whether the LLM can be prompted to make unintended requests. Seth agrees that AI agents making autonomous requests will become more prevalent, especially with new AI workflow tools that handle credentials. He reiterates that phishing training is still around in large organizations, and the most effective outcome is detection and reporting, which AI tools can track more effectively than humans. However, phishing now extends beyond corporate email to texts and other communication avenues, requiring proactive vigilance from both organizations and users.

Beat the summertime rays with the tested and approved slightly pre-stressed Dad hat. Visit our merch store to find it and other nice podcast swag.

And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/watch?v=Z8ZIZxgmX5Q - Episode #186 - Security Trainings, Web3 Bounties, MFA Fatigue - The MFA Fatigue bubbles up during a discussion of the details behind the Uber attack. Seth and Ken discuss an article that highlights that hackers are seeing this relative of authentication fatigue as a fruitful avenue to major exploits.

https://www.youtube.com/watch?v=VFcojWV50rA- Episode #234 - Password Analysis, GitHub Copilot – More authentication discussion here as Seth and Ken look at another release of data that suggests organizations and individuals have weak password practices.

https://www.youtube.com/watch?v=4LwH8tN--B0 - Episode #151 - Secure Code Review, Software Interdependency - This episode begins with a close secure-code review of an authentication scheme. Then discussion of how software interdependence leads to potential security gaps in authentication and authorization controls. Similar issues as seen in this week’s Browser AI Agents security risks as well as what we’ve seen in MCP servers.

Absolute AppSec Happenings

https://www.anthropic.com/research/project-vend-1 - “Project Vend: Can Claude run a small shop? (And why does that matter?)” The folks at Anthropic spin up an agent that can independently run a small business. What ensues provides some comedy but also points at some concerns for the future integration of AI systems into economic systems. The Anthropic team promises more to come….

https://owasp.org/www-project-fiasse/- In the Absolute AppSec Slack, Alton Crossley clues us in on the work he’s doing in OWASP’s Framework for Integrating Application Security into Software Engineering (FIASSE). Some good goals to make CWEs legible to developers in this project. Alton explains more in the thread in the podcast slack, but there already is a good deal of documentation about the project’s way forward at the link above.

https://www.techpolicy.press/cloudflare-wades-into-the-battle-over-ai-consent-and-compensation/ - “Cloudflare Wades into the Battle Over AI Consent and Compensation” - Cloudflare puts a new arrow in its quiver aimed at blocking AI crawlers by default. The article talks about the implications of counteracting the hunger of AI models for more data to ingest through infrastructure obstacles, rather than through copyright lawsuits after the fact. A lot to dig in on.

Upcoming Events

Where in the world are Seth and Ken?

July 17-18, 2025 - Practical Secure Code Review - AI Enhanced - Given the recent demand, the duo returns with a virtual training with all the AI updates that continually evolve. For an example of the information covered in the course, Seth and Ken have shared a recent video from the course on authorization. Check that out here: https://www.youtube.com/watch?v=ROtATgLQ5mU

August 11-12, 2025 - Harnessing LLMs for Application Security - Back to DEF CON, but this time with an updated course. Integrating LLMs into AppSec from static to dynamic analysis. Tips, tricks and more.