Skip navigation
Product & Engineering

Duo Passport’s patent-pending defense against session hijacking

Headshot of Ranine Haidous, Engineering Product Manager
Ranine Haidous
4 minute read

At Duo, we've been obsessed with a growing threat that keeps security teams up at night: Session hijacking. Recently, we announced a patent-pending breakthrough that marks a fundamental shift in how we think about authentication security. According to the 2024 IBM X-Force Threat Intelligence Index, use of stolen credentials to access valid accounts surged 71% over the previous year and represented 30% of all incidents X-Force responded to, tied with phishing as the top infection vectors. Duo Passport, with its built-in Session Token Theft Protection, directly addresses these escalating threats.

In 2024 alone, sixty percent of all Cisco Talos incident response cases involved identity as a key attack vector, with session theft emerging as an attacker’s favorite shortcut around even the most sophisticated MFA implementations. We're facing an "identity crisis" where attackers no longer need to hack in, they simply log in using stolen credentials. At Duo, we knew we had to do more than incrementally improve existing defenses.

"In fact, Cisco's own deployment of Duo Passport Session Theft Protection led to a remarkable 52% decrease in cookie-based authentications within 30 days, directly reducing the risk of session hijacking."

Understanding the threat

Session token theft exploits a fundamental weakness in how web authentication has worked for decades. When users authenticate, applications issue session cookies to maintain their logged-in state. Attackers have become increasingly sophisticated at stealing these tokens through malicious JavaScript, infostealers like Redline and Emotet, or adversary-in-the-middle attacks. Once they have your session token, they essentially have your digital identity which allows them to bypass passwords, MFA, and most security controls.

Existing solutions treat the symptoms while ignoring the core issue: session trust shouldn’t exist as a separate, portable entity (think cookies).

Our innovative approach: Authentication without cookies

Duo Passport’s Session Token Theft Protection is a breakthrough in authentication security. It removes session cookies from the Duo authentication flow entirely, relying instead on the hardware security modules built into modern devices, like the Trusted Platform Module (TPM) 2.0 for Windows or the Secure Enclave for macOS. Although individual applications may still use their own session tokens after authentication, Duo Passport secures the critical foundation it controls, significantly reducing the risk of session hijacking. This enhanced protection is uniquely delivered while preserving Passport's premium user experience of seamless access without repetitive logins. Cisco successfully reduced weekly logins from 8 million to 450,000 by deploying Duo Passwordless, Risk-Based Authentication, and Duo Passport.

“We looked at some awesome numbers today. Happy to report that we have cut down logins to Outlook by almost 50%. 52% auths for Outlook are now covered by Passport silent login in the last 30 days. Thanks to Duo for making this happen!”

IT Team Member

Cisco

Core benefits we're delivering:

  • Hardware-backed security that's phishing-resistant

  • Dramatic reduction in authentication friction

  • Platform-agnostic protection (Windows and macOS)

  • Simple deployment through existing Duo infrastructure

  • No vendor lock-in or ecosystem limitations

Transforming security and user experience simultaneously

Duo Passport solves two seemingly opposing challenges: Reducing authentication fatigue while significantly strengthening security. Our customers often told us that constant MFA prompts wore down their users. Duo Passport streamlined this experience by allowing users to authenticate once and access multiple applications across browsers and desktop apps without interruption. Now, in addition to that, it includes built-in protection against session hijacking attacks. In fact, Cisco's own deployment of Duo Passport Session Theft Protection led to a remarkable 52% decrease in cookie-based authentications within 30 days, directly reducing the risk of session hijacking.

Why this changes everything

Looking at the competitive landscape, we see fundamental differences in approach. Microsoft's token protection works well…if you're all-in on Windows and their ecosystem. Okta focuses on adaptive MFA, which helps but doesn't address the root vulnerability. We've taken a different path: Platform-agnostic, hardware-backed protection that works across your entire enterprise environment.

Together with Cisco Identity Intelligence, Duo Passport creates a foundation for continuous identity verification that adapts to changing risk conditions. Your organization needs an identity infrastructure that grows stronger as attackers become more sophisticated, one that enhances user productivity while minimizing risk in an increasingly dangerous threat landscape. The real question isn't whether session theft attacks will target your organization; it's whether you'll be ready and protected when they do.

Get started with Duo IAM

Duo Passport Session Theft Protection is currently in public preview. Read more on how Duo helps organizations secure end-to-end phishing resistance.

Start a free trial of Duo’s advanced identity security today.