Federated authentication systems based on Single Sign-On (SSO) and Multi-Factor Authentication (MFA) have become fundamental components of modern enterprise identity and access management architectures. Organizations increasingly depend on Security Assertion Markup Language (SAML), OAuth 2.0, OpenID Connect (OIDC), and federated identity ecosystems to support cloud computing, distributed services, zero-trust architectures, and remote work infrastructures. Although these technologies improve usability, interoperability, and centralized authentication management, they also introduce complex attack surfaces involving identity providers, service providers, token exchanges, session management, trust relationships, and authentication workflows. Attack vectors such as token replay, credential theft, session hijacking, golden SAML attacks, MFA fatigue attacks, OAuth token abuse, and impersonation threats demonstrate the growing sophistication of adversaries targeting federated authentication environments. This study develops a comprehensive STRIDE-based threat modeling framework for analyzing attack vectors in federated SSO and MFA systems, particularly focusing on Service Provider (SP)-initiated SAML and OAuth deployments integrated with device fingerprinting and adaptive authentication controls.

The research synthesizes existing cybersecurity literature related to threat hunting, attack attribution, intrusion detection, cyber threat modeling, and defensive architectures to construct a structured analytical model for federated authentication ecosystems. The study evaluates threats across authentication phases including identity assertion generation, token transmission, session establishment, MFA verification, and trust federation management. The paper further examines how threat intelligence methodologies, MITRE ATT&CK mapping approaches, behavioral analysis, anomaly detection, and deception-based defensive techniques contribute to identifying and mitigating advanced authentication attacks. The proposed framework categorizes threats according to STRIDE dimensions—Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege—while analyzing their operational implications within enterprise infrastructures.

The findings indicate that federated identity systems are highly vulnerable to privilege escalation and identity manipulation when trust relationships are insufficiently validated or when token integrity protections are weak. Device fingerprinting, behavioral analytics, adaptive MFA enforcement, token-binding mechanisms, and continuous threat hunting significantly improve resilience against advanced adversarial techniques. However, limitations remain regarding privacy concerns, false positives, federation scalability, and cross-domain trust dependencies. The study contributes a structured threat modeling methodology for securing federated identity ecosystems and provides practical recommendations for strengthening SSO and MFA deployments in enterprise and cloud environments.

Federated Authentication, Single Sign-On, Multi-Factor Authentication, STRIDE Threat Modeling, SAML Security, OAuth Security, Golden SAML Attack, Token Replay, Device Fingerprinting, Identity and Access Management

A. Adedoyin and H. Teymourlouei, “Methods for Automating Threat Hunting and Response,” International Conference on Electrical, Computer, and Energy Technologies, ICECET 2021, 2021, doi: 10.1109/ICECET52533.2021.9698447.

A. Ahmadian Ramaki, A. Rasoolzadegan, and A. Javan Jafari, “A systematic review on intrusion detection based on the Hidden Markov Model,” Statistical Analysis and Data Mining: The ASA Data Science Journal, vol. 11, no. 3, pp. 111–134, Jun. 2018, doi: 10.1002/SAM.11377.

A.I. Belous, V.A. Solodukha, “Fundamentals of cybersecurity. Standards, concepts, methods and means of ensuring,” Eds Technosphere Moscow, 2021, p. 400–482.

“A SANS Survey,” 2016.

A. B. Ajmal, M. Alam, A. A. Khaliq, S. Khan, Z. Qadir, and M. A. P. Mahmud, “Last Line of Defense: Reliability through Inducing Cyber Threat Hunting with Deception in SCADA Networks,” IEEE Access, vol. 9, pp. 126789–126800, 2021, doi: 10.1109/ACCESS.2021.3111420.

Best Practices for MITRE ATT&CK Mapping. [Online]. Available: https://www.cisa.gov/uscertlsites/default/files/publications

B. Nour, M. Pourzandi, and M. Debbabi, “A Survey on Threat Hunting in Enterprise Networks,” IEEE Communications Surveys and Tutorials, vol. 25, no. 4, pp. 2299–2324, 2023, doi: 10.1109/COMST.2023.3299519.

D. Javeed, “An Efficient Approach of Threat Hunting Using Memory Forensics,” International Journal of Computer Networks and Communications Security, vol. 8, no. 5, pp. 37–45, May 2020, doi: 10.47277/IJCNCS/8(5)1.

D. J. Bodeau, C. D. McCollum, D. B. Fox. “Cyber Threat Modeling: Survey, Assessment, and Representative Framework.” mitre.org. https://www.mitre.org/sites (accessed Feb. 1, 2023 ).

D. Kar, K. Agarwal, A. K. Sahoo, and S. Panigrahi, “Detection of SQL injection attacks using hidden markov model,” Proceedings of 2nd IEEE International Conference on Engineering and Technology, ICETECH 2016, pp. 1–6, Sep. 2016, doi: 10.1109/ICETECH.2016.7569180.

D. Ourston, S. Matzner, W. Stump, and B. Hopkins, “Applications of hidden Markov models to detecting multi-stage network attacks,” Proceedings of the 36th Annual Hawaii International Conference on System Sciences, HICSS 2003, pp. 10–19, 2003, doi: 10.1109/HICSS.2003.1174909.

D. V. Stepanenko, “Comparative review of information security threat modeling from the FSTEC methodology of Russia and MITRE ATT&CK matrices,” Digital Technologies and Law: Collection of scientific papers of the I International Scientific and Practical Conference, vol. 6, pp. 337–346, Sept. 23,2022.

F. Aldauiji, O. Batarfi, and M. Bayousef, “Utilizing Cyber Threat Hunting Techniques to Find Ransomware Attacks: A Survey of the State of the Art,” IEEE Access, vol. 10, pp. 61695–61706, 2022, doi: 10.1109/ACCESS.2022.3181278.

Information on powers of FSTEC of Russia; list of regulatory legal acts determining these powers, (FSTEC of Russia). [Online]. Available: https://fstec.m/en/359-powers

I. V. Kotenko and S. S. Khmyrov, “Analysis of Models and Techniques Used for Attribution of Cyber Security Violators in the Implementation of Targeted Attacks.” Voprosy kiberbezopasnosti, vol. 4, no. 50, pp 52–79, Sept. 2022, doi: 10.21681/2311-3456-2022-4-52-79.

J. E. Gould, C. Macharis, and H. D. Haasis, “Emergence of security in supply chain management literature,” Journal of Transportation Security, vol. 3, no. 4, pp. 287–302, Oct. 2010, doi: 10.1007/S12198–010-0054-Z/METRICS.

J. S. Carbanak, “Threatens Critical Infrastructure: Cybercriminal APTs Merit Significant Investigation and Discussion,” S. James, Washington, DC, USA : ICIT, 2017, 16 p.

K. E. Eichensehr, “Decentralized cyberattack attribution,” American Journal of International Law, vol. 113, pp. 213–217, Oct. 2019.

L. Urciuoli and J. Hintsa, “Adapting supply chain management strategies to security - an analysis of existing gaps and recommendations for improvement,” International Journal of Logistics Research and Applications, vol. 20, no. 3, pp. 276–295, May 2017, doi: 10.1080/13675567.2016.1219703.

M. Asante, G. Epiphaniou, C. Maple, H. Al-Khateeb, M. Bottarelli, and K. Z. Ghafoor, “Distributed Ledger Technologies in Supply Chain Security Management: A Comprehensive Survey,” IEEE Trans Eng Manag, vol. 70, no. 2, pp. 713–739, Feb. 2023. doi: 10.1109/TEM.2021.3053655.

M. N. S. Miazi, M. M. A. Pritom, M. Shehab, B. Chu, and J. Wei, “The design of cyber threat hunting games: A case study,” 2017 26th International Conference on Computer Communications and Networks, ICCCN 2017, Sep. 2017, doi: 10.1109/ICCCN.2017.8038527.

M. Stefano, “La strategia della Nato in ambito cyber ”, Avv. Stefano Mele, Presidente della Commissione Sicurezza Cibernetica del Comitato Atlantico Italiano, Italia, 3 Giugno 2019 [Online]. Available: https://europaatlantica.it

MITRE ATT&CK: Design and Philosophy, The MITRE Corporation. [Online]. Available: https://attack.mitre.org/docs

P. Samarati, “2013 International Conference on Security and Cryptography (SECRYPT) 29–31 July 2013, Reykjavík, Iceland; … part of ICETE 2013, 10th International Joint Conference on e-Business and Telecommunications ”.

R. Alghamdi, “Hidden Markov Models (HMMs) and Security Applications,” IJACSA) International Journal of Advanced Computer Science and Applications, vol. 7, no. 2, 2016, Accessed: Feb. 27, 2024. [Online]. Available: www.ijacsa.thesai.org.

Securing the Extended Internet of Things (XIoT), The Global State of Industrial Cybersecurity. [Online]. Available: https://claroty.com

Threat hunting, Welcome to Encyclopedia. [Online]. Available: https://encyclopedia.kaspersky.com/glossary/threat-hunting

V. Hassija, V. Chamola, V. Gupta, S. Jain, and N. Guizani, “A Survey on Supply Chain Security: Application Areas, Security Threats, and Solution Architectures,” IEEE Internet Things J, vol. 8, no. 8, pp. 6222–6246, Apr. 2021, doi: 10.1109/JIOT.2020.3025775.

V. Mavroeidis and A. Jásang, “Data-driven threat hunting using sysmon,” ACM International Conference Proceeding Series, pp. 82–88, Mar. 2018, doi: 10.1145/3199478.3199490.

Z. Williams, J. E. Lueg, and S. A. Lemay, “Supply chain security: An overview and research agenda,” The International Journal of Logistics Management, vol. 19, no. 2, pp. 254–281, Aug. 2008, doi: 10.1108/09574090810895988/FULL/XML.