4
Department of Computer Science Royal Bhutan Institute of Technology Thimphu, Bhutan
Abstract
Federated Single Sign-On (SSO) and Multi-Factor Authentication (MFA) systems have become foundational components of modern enterprise identity management infrastructures. Organizations increasingly rely on Security Assertion Markup Language (SAML), OAuth, and OpenID Connect (OIDC) frameworks to provide scalable authentication and authorization across distributed environments. However, the expansion of federated identity architectures has simultaneously increased the complexity of the threat landscape. Attack vectors such as token replay, golden SAML attacks, credential theft, session hijacking, phishing-based MFA bypass, and privilege escalation have exposed critical vulnerabilities within federated authentication ecosystems. This research presents a STRIDE-based threat modeling framework for analyzing attack vectors in SP-initiated SAML and OAuth deployments integrated with MFA and device fingerprinting controls. The study synthesizes existing literature on threat modeling methodologies, attack-centric risk analysis, and security design frameworks to establish a comprehensive analytical model for federated authentication security assessment. The proposed framework combines attack-centric and asset-centric approaches to identify vulnerabilities across authentication workflows, token exchange mechanisms, session management systems, and trust relationships between Identity Providers (IdPs) and Service Providers (SPs). The research further evaluates the role of device fingerprinting, adaptive MFA, behavioral monitoring, and layered defense strategies in mitigating sophisticated attacks. Findings indicate that traditional authentication controls are insufficient against advanced persistent threats targeting federated systems. The study demonstrates that integrating STRIDE analysis with contextual authentication mechanisms significantly improves threat visibility, attack detection capability, and cyber resilience. The research contributes a structured security assessment framework suitable for enterprise federated identity deployments and provides strategic recommendations for future authentication security architectures.
How to Cite
Prerna Thakur. (2026). Threat Modeling for Federated SSO and MFA Systems: STRIDE-Based Analysis of Attack Vectors. Frontiers in Emerging Artificial Intelligence and Machine Learning, 3(04), 21–34. Retrieved from https://irjernet.com/index.php/feaiml/article/view/400
Priyank Tailor, & Anjali Kale. (2025). Multimodal Sentiment Analysis of Earnings Calls and SEC Filings: A Deep Learning Approach to Financial Disclosures. Utilitas Mathematica, 122(1), 3163–3168. Retrieved from https://utilitasmathematica.com/index.php/Index/article/view/2676
G. Krishnan and A. K. Bhat, "Empower Financial Workflows: Hyper Automation Framework Utilizing Generative Artificial Intelligence and Process Mining," 2025 3rd International Conference on Intelligent Cyber Physical Systems and Internet of Things (ICoICI), Coimbatore, India, 2025, pp. 2041-2047, doi: 10.1109/ICoICI65217.2025.11254280.
Abdul Salam Abdul Karim. (2023). Fault-Tolerant Dual-Core Lockstep Architecture for Automotive Zonal Controllers Using NXP S32G Processors. International Journal of Intelligent Systems and Applications in Engineering, 11(11s), 877–885. Retrieved from https://ijisae.org/index.php/IJISAE/article/view/7749
Carolina, I. R. &. I. M. D. N., USA, & Tiwari, S. K. (2025b). Automation Driven Digital Transformation Blueprint: Migrating legacy QA to AI augmented pipelines. Frontiers in Emerging Artificial Intelligence and Machine Learning, 2(12), 01–20. https://doi.org/10.64917/feaiml/volume02issue12-01
Hutchins, Eric &Cloppert, Michael & Amin, Rohan. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Leading Issues in Information Warfare & Security Research. 1.
Hebbar, K. S., Sengupta, D., Armo, K. K., Sahu, P., Sahitya, P., & Rana, D. S. (2025). Integrating Sentiment Analysis with a Deterministically Optimized Extreme Learning Machine for Stock Market Prediction. 2025 IEEE 5th International Conference on ICT in Business Industry & Government (ICTBIG), 1–7. https://doi.org/10.1109/ictbig68706.2025.11323752
Kamati, Toivo Herman, Dharm Singh Jat, and Saurabh Chamotra. "Design and Development of System for Post-infection Attack Behavioral Analysis." Proceedings of Fifth International Congress on Information and Communication Technology: ICICT 2020, London, Volume 2. Singapore: Springer Singapore, 2020.
Kaur, Supinder, and Harpreet Kaur. "Client honeypot based malware program detection embedded into web pages." International Journal of Engineering Research and Applications 3.6 (2013): 849-854.
Krishnan, Sriram. (2017). A Hybrid Approach to Threat Modelling A Hybrid Approach to Threat Modelling. 10.13140/RG.2.2.33303.88486.
Liebl, Simon. (2023). Threat Modelling for Internet of Things Devices.
Lowe, H. J., Ferris, T. A., Hernandez, P. M., & Weber, S. C. (2009). STRIDE–An integrated standards-based translational research informatics platform. In AMIA annual symposium proceedings (Vol. 2009, p. 391). American Medical Informatics Association.
Potteiger, B., Martins, G., &Koutsoukos, X. (2016, April). Software and attack centric integrated threat modeling for quantitative risk assessment. In Proceedings of the Symposium and Bootcamp on the Science of Security (pp. 99-108).
R. Laheri, "AI-Enhanced Biometric Systems for Insurance: Secure Authentication and Regulatory Compliance," 2025 2nd International Conference on Artificial Intelligence and Knowledge Discovery in Concurrent Engineering (ICECONF), Chennai, India, 2025, pp. 1-6, doi: 10.1109/ICECONF65644.2025.11379513
Saini, V., Duan, Q., &Paruchuri, V. (2008). Threat modeling using attack trees. Journal of Computing Sciences in Colleges, 23(4), 124-131.
Sagar Kesarpu. (2025). Zero-Trust Architecture in Java Microservices. International Journal of Networks and Security, 5(01), 202-214. https://doi.org/10.55640/ijns-05-01-12
Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.
Sidiroglou, S., &Keromytis, A. D. (2007). Composite Hybrid Techniques For Defending Against Targeted Attacks. In Malware Detection (pp. 213-229). Boston, MA: Springer US.
Subhash, P., Qayyum, M., Likhitha Varsha, C., Mehernadh, K., Sruthi, J., &Nithin, A. (2023, October). A Security Framework for the Detection of Targeted Attacks Using Honeypot. In International Conference on Computer & Communication Technologies (pp. 183-192). Singapore: Springer Nature Singapore.
Tatam, M., Shanmugam, B., Azam, S., &Kannoorpatti, K. (2021, January). A review of threat modelling approaches for APT-style attacks. Heliyon, 7(1), e05969. https://doi.org/10.1016/j.heliyon.2021.e05969
Viswanathan, G. (2021, January). A hybrid threat model for system-centric and attackcentric for effective security design in SDLC. In Web Intelligence (Vol. 19, No. 1-2, pp. 1-11). IOS Press.
Vishesh Goel. (2025). From Concierge to Cloud: Reimagining Hospitality Through SaaS-Driven Experiences. The American Journal of Engineering and Technology, 7(8), 38–52. https://doi.org/10.37547/tajet/Volume07Issue08-05
Valiveti, S. S. S. (2025). .NET Core microservices for Zero-Downtime AuthHub migrations. European Journal of Engineering and Technology Research, 10(5), 1–4. https://doi.org/10.24018/ejeng.2025.10.5.3288
27. Vikram Singh, 2025, Policy Optimization for Anti-Money Laundering (AML) Compliance using AI Techniques: A Machine Learning Approach to Enhance Banking Regulatory Compliance, INTERNATIONAL JOURNAL OF ENGINEERING RESEARCH & TECHNOLOGY (IJERT) Volume 14, Issue 04 (April 2025)
28. Wolf, A., Simopoulos, D., D'Avino, L., &Schwaiger, P. (2021). The PASTA threat model implementation in the IoT development life cycle. INFORMATIK 2020.
29. Xiong, W. (2021). Enhancing IT Systems Cyber Resilience through Threat Modeling : Cyber Security Analysis of Enterprise Systems and Connected Vehicles (PhD dissertation, KTH Royal Institute of Technology). Retrieved from https://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-300046
30. Yeng, P. K., D., S., & Yang, B. (2020). Comparative Analysis of Threat Modeling Methods for Cloud Computing towards Healthcare Security Practice. International Journal of Advanced Computer Science and Applications, 11(11).
