August 2024: Key Rotation and 2FA Limits
Invest in key rotation, secret hygiene and practical 2FA patterns.
August 2024 was about moving from response to resilience. The CosmicSting incident in June highlighted weak spots in secret hygiene and access controls. In August, the emphasis turned to disciplined key rotation, practical 2FA, and removing long-lived credentials across the stack - from Adobe Commerce admin to Git providers and CI/CD.
Keys and tokens: automate rotation for API keys, webhooks and service accounts. Store secrets in a managed vault and eliminate static credentials in repositories. Prefer short-lived tokens with explicit scopes over broad, indefinite keys. For CI, adopt OIDC-based federation where supported so runners request short-lived credentials dynamically instead of storing tokens.
2FA in practice: enforce WebAuthn (hardware keys or platform authenticators) for privileged admin and developer accounts. Pair with SSO so deprovisioning is centralised. Where 2FA disrupts service-to-service automation, replace with signed, short-lived tokens and strong audit trails rather than bypassing controls entirely.
Developer supply chain: disable personal access tokens (PATs) for automation, restrict repo secrets to the minimum, require code reviews on protected branches and enable signing (Sigstore or GPG) for releases. Run software composition analysis (SCA) and image scanning on every build, and generate SBOMs to speed up response when advisories land.
Recommended steps:
- Automate secret rotation; migrate secrets to a vault; remove credentials from code and config.
- Adopt OIDC for CI/CD where available; otherwise use scoped tokens with short TTLs.
- Mandate WebAuthn-based 2FA for admins and developers; enforce SSO with least-privilege roles.
- Tighten repository controls: disable PATs for bots, restrict secrets, require reviews and signed releases.
- Continuously scan dependencies and container images; publish SBOMs with each release.
These changes reduce the blast radius of credential leaks and make incidents easier to contain. The earlier you institutionalise them, the safer peak season will be.
Want to read more insights?
View All ArticlesRelated Articles
Continue reading with these related insights and updates from our team.
June 2024: CosmicSting Critical Alert
CosmicSting highlighted the need for disciplined key and secret management.
October 2024: Supply Chain Security Updates
Tighter dependency control, CI/CD hygiene and vendor access reviews.
October 2021 Adobe Commerce Updates Roundup
Security focus with 2.4.3-p1 and 2.3.7-p2, CSRF mitigation and PHP 7.3 end-of-life pressure. Our guidance: plan upgrades as part of ongoing risk management.
Explore More Solutions
Adobe Commerce (Magento) Development
Expert Adobe Commerce (Magento) and Magento development in London
E-commerce Strategy
Strategic e-commerce consulting for digital growth
SEO Optimisation
Technical SEO for e-commerce websites
Design & UX
User experience design for e-commerce conversion