MFA and encryption reduce risk, but they do not fully prevent live proxy attacks. If the attacker can relay the authentication flow or impersonate the endpoint, they can still capture credentials, session tokens, or sensitive interaction data. That is why identity assurance has to extend beyond first login and include endpoint verification, session integrity, and least-privilege access.
Why This Matters for Security Teams
MFA and encryption are necessary controls, but they do not prove that the right endpoint, session, or tool chain is being used once authentication begins. A live attacker can proxy the login, relay one-time codes, and inherit the resulting session, which is why the risk does not end at the second factor. NHI Management Group’s Ultimate Guide to NHIs — Why NHI Security Matters Now notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, showing how often identity compromise becomes the real attack path.
For practitioners, the mistake is treating MFA as a boundary rather than one signal in a broader assurance chain. Encryption also has limits: it protects data in transit, but not the trust relationship if the attacker is sitting in the middle of the session. That is why current guidance increasingly pairs MFA with device posture, phishing-resistant authentication, token binding where available, and continuous session checks. The attack succeeds when the organisation assumes that successful login equals trusted access. In practice, many security teams encounter proxy-based compromise only after anomalous actions, token reuse, or impossible travel alerts have already appeared.
How It Works in Practice
MITM attacks work by inserting an intermediary between the user and the service, then relaying or modifying traffic in real time. If the attacker can capture a session cookie, bearer token, or OAuth code, MFA has already served its purpose from the attacker’s perspective. That is why the focus must extend from first-factor or second-factor authentication to session integrity, endpoint validation, and least-privilege access after login. The issue is not that MFA fails to authenticate the user; it is that authentication alone does not guarantee the session remains trustworthy.
In practical terms, security teams should harden the entire authentication path. The most effective controls usually combine:
- Phishing-resistant MFA such as passkeys or hardware-backed factors.
- Short-lived sessions and tight token TTLs to reduce replay value.
- Device and posture checks at authentication time and during the session.
- Conditional access policies that re-evaluate trust when risk changes.
- Encryption with strong certificate validation to reduce interception and downgrade risk.
For non-human identities, the same logic becomes even more important. Workloads need cryptographic identity, not just stored secrets, which is why programs increasingly reference workload identity patterns and secretless approaches rather than long-lived credentials. NHI Management Group’s Ultimate Guide to NHIs also highlights that 91.6% of secrets remain valid five days after notification, which shows how much attacker value remains after compromise.
External guidance aligns with this shift. CISA’s cyber threat advisories regularly emphasise credential theft, session abuse, and adversary-in-the-middle tradecraft as active threats. These controls tend to break down when legacy protocols, unmanaged endpoints, or long-lived bearer tokens are still allowed because the attacker can reuse what the service already trusts.
Common Variations and Edge Cases
Tighter session controls often increase operational overhead, requiring organisations to balance user friction against the need for stronger trust signals. That tradeoff is especially visible in hybrid environments where older applications cannot support modern token binding, continuous access evaluation, or device attestation. Current guidance suggests that organisations treat these as risk exceptions rather than normal operating modes, but there is no universal standard for this yet.
Edge cases matter. VPNs, reverse proxies, and remote browser setups can reduce exposure, but they do not eliminate MITM risk if the attacker already controls the endpoint or has stolen a live session. Encryption can also create false confidence when TLS is technically in place but certificate validation is weak, user warnings are ignored, or traffic is terminated and re-encrypted by an untrusted intermediary. The same problem appears in AI-driven workflows, where autonomous agents may chain tools and reuse credentials in ways that are hard to predict.
For teams trying to close the gap, the practical goal is not perfect prevention. It is reducing replay value, limiting what a hijacked session can do, and forcing re-authentication when context changes. That is why the strongest programs pair MFA and encryption with continuous monitoring, phishing-resistant factors, and identity assurance that extends beyond the initial login. In the real world, compromise is often discovered only after a valid session has already been used to move laterally or exfiltrate data.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Session integrity and ongoing access validation are central to MITM defense. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust limits what a compromised session can reach after interception. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets and replayable credentials amplify MITM impact for NHI traffic. |
Continuously verify access context and reduce trust in sessions after initial authentication.
