In our earlier post, we explained why the browser is the ideal policy enforcement point (PEP) for modern work β universal, device-agnostic, and rich with user/session context. This article zooms in on Identity: how Seraphic ingests identity and risk signals, hardens authentication, and continuously governs sessions β especially on unmanaged and contractor devices, without proxies or app rewrites.
The identity problem (today)
Identity attacks rarely look like one big explosion. Theyβre a drip-drip continuum:Β
- Pre-auth setup: consent phishing, look-alike IdP domains, risky extensions waiting on the login page.Β
- Auth moment: weak factors, AitM session token stealing, and session fixation.Β
- Post-auth sprawl: token theft, risky OAuth grants, data exfil via copy/download/AI-paste, sessions that keep βworkingβ long after risk changes.Β
Traditional controls struggle here. Especially on BYOD and third-party laptops that never see EDR agents or networks. Thatβs the coverage gap Seraphic closes by enforcing policy in the browser session itself.
Seraphicβs identity protection model
1) Signals in (who is this, how risky is it, what changed?)
Seraphic consumes real-time signals from your ecosystem and converts them into immediate, per-app enforcement:Β
- IdP & standards: Okta, Ping, AAD via SSF/CAEP (risk changes, session revocations, anomalous logins).Β
- Endpoint/EDR: CrowdStrike et al. for device trust and compromise flags.Β
- SASE/ZTNA & DLP: app access decisions and data-handling rules.Β
- Threat intel & extension risk: block malicious extensions, risky domains, and shady OAuth flows.Β
Seraphicβs PEP positioning is explicitly about converting these inputs into consistent, in-browser enforcement, managed or unmanaged.Β
2) Controls across the identity journey
Pre-auth (before the login page)
- IdP hardening: tenant pinning and look-alike domain blocks prevent consent-phish and rogue SSO redirects.Β
- Extension hygiene on auth pages: detect/disable risky extensions that can keylog or harvest tokens.Β
- Contextual access: use device posture, location, or IdP/EDR risk to block or trigger step-up before credentials are entered.Β
- Prevent look-alike phishing: block sites mimicking legitimate login pages, attempting to steal credentialsΒ
During auth
- Factor orchestration: require Passkeys/WebAuthn for sensitive apps; trigger an API to terminate sessions if needed.Β
- Form protections: stop auto-fill on unknown domains; prevent injected scripts from siphoning credentials.Β
Post-auth (active session control)
- Session containment: blocking attempted cookie/token theft.Β Β
- Adaptive βdowngradeβ: if risk rises, flip the session to read-only, mask PII fields, or block Copy/Print/Downloadβapp by appβwithout kicking the user out of everything.Β
- Targeted SLO (Single Logout): when risk becomes High (or access changes), log the user out of specific apps immediately.Β
Why does enforcing at the browser change the identity game
- Coverage where agents canβt go. Contractors and BYOD users still authenticate through a browser; Seraphic protects those flows and sessions directly.Β
- Faster time-to-contain. SOC and IdP risk events translate into instant actions β no waiting for tickets, proxies, or VPN hairpins.Β
- Granular, humane security. Donβt nuke everything when one signal goes amber downgrade only whatβs sensitive, keep people productive.Β
- Consistent policy, native UX. No isolation browsers or broken apps; users keep their normal Chrome/Edge experience.Β Β
Seraphic protects identities by turning the browser into a policy-enforcement point that understands who the user is, what device theyβre on, what app theyβre touching, and then adapts authentication and session controls in real time (managed or BYOD). It enforces and augments identity providersβ capabilities in the browser and adds continuous, per-app session controls, especially powerful on unmanaged devices.Β
About the Author
