Security teams should move high-risk accounts to phishing-resistant authentication, bind sessions more tightly to device or risk signals, and reduce reliance on reusable OTPs. User training still matters, but the core defence is removing the attacker’s ability to relay a live session and reuse it outside the original authentication context.
Why This Matters for Security Teams
Adversary-in-the-middle phishing succeeds because it turns a one-time login into a live relay, capturing the session as it is created and then reusing that access outside the user’s original context. That makes reusable OTPs, SMS codes, and password-only workflows weak controls against a determined attacker. Current guidance from CISA cyber threat advisories and NHIMG research both point to the same reality: the control problem is not just authentication, but session integrity and post-authentication trust.
This is especially important for high-value accounts, privileged users, and SaaS administrators because a stolen session can bypass many downstream checks. The issue is broader than credential theft. It also undermines trust in device posture, MFA prompts, and conditional access policies that were designed for static login events rather than live interception. NHIMG’s The State of Non-Human Identity Security shows how often organisations underestimate identity risk, with only 1.5 out of 10 highly confident in securing NHIs. In practice, many security teams discover relay-based compromise only after a valid session has already been abused, rather than through intentional detection of the attack path.
How It Works in Practice
The most effective response is to make the authentication ceremony harder to relay and the resulting session harder to replay. That usually means moving sensitive populations to phishing-resistant authentication such as FIDO2/WebAuthn, binding the session to stronger signals such as device identity or risk state, and shortening the value window of any credential artifact that is still issued. NIST’s Cybersecurity Framework 2.0 remains useful here because it frames identity as part of continuous protection, not a one-time gate.
Security teams should also reduce reliance on reusable OTPs, since a relay attacker can capture and submit them in real time. Where possible, use authentication methods that cryptographically bind the user, device, and session to the original challenge. This is why the 52 NHI Breaches Analysis matters even for human-facing phishing: once an attacker gains a valid session, the problem quickly becomes identity sprawl, token reuse, and privilege chaining across systems.
- Prioritise administrators, finance, support desks, and remote access users for phishing-resistant MFA.
- Apply step-up authentication when device posture, location, or session risk changes.
- Use short-lived sessions and force reauthentication for sensitive actions rather than relying on long session lifetimes.
- Monitor for impossible travel, abnormal token use, and new-device logins that do not fit expected behaviour.
Where this guidance breaks down is in legacy applications that only support OTP or basic SSO handoffs, because those systems often cannot bind the session to device or risk context in a meaningful way.
Common Variations and Edge Cases
Tighter authentication often increases user friction and support load, so organisations must balance phishing resistance against operational simplicity. That tradeoff is real, especially where large workforces, contractors, or unmanaged devices are involved. Best practice is evolving, but there is no universal standard for every application class yet.
For lower-risk users, a staged rollout may be more practical than an abrupt migration. For high-risk roles, stronger controls should come first, including Ultimate Guide to NHIs — Key Challenges and Risks for the broader lesson that identity failures often begin with weak visibility and end with unchecked access. The OWASP view on agentic systems also reinforces that trust decisions need context, not just credentials, which aligns with the intent behind OWASP NHI Top 10.
Exception handling matters. Shared workstations, service desks, and emergency access flows may still require fallback methods, but those paths should be tightly scoped, heavily monitored, and time-limited. These controls tend to break down when organisations allow long-lived sessions on unmanaged endpoints because the attacker can wait out the user and reuse the session after the relay completes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A07 | Phishing-resistant auth reduces token relay and session theft in autonomous access flows. |
| CSA MAESTRO | IAM | MAESTRO emphasizes identity-aware controls for agent and session trust decisions. |
| NIST AI RMF | AIRMF supports continuous risk evaluation for authentication and session integrity decisions. |
Use phishing-resistant MFA and context-bound sessions to prevent replay of live authentication artifacts.
