MFA reduces password-only compromise, but it does not stop attackers who steal session tokens, hijack browsers, or obtain access through adversary-in-the-middle phishing. Once the token is issued, the service often trusts it until expiry or revocation. That means organisations need continuous session control and behavioural detection, not just stronger login prompts.
Why MFA Stops Short of Account Takeover
MFA still matters, but it is not a complete defence against account takeover because modern attacks often bypass the login event entirely. If an attacker captures a session cookie, steals a token from a browser, or lands an adversary-in-the-middle phishing flow, the service may see a valid authenticated session and trust it until it expires. That is why controls around session binding, token lifecycle, and continuous risk evaluation matter just as much as the prompt at the login screen.
This failure mode is visible in real-world compromise reporting. NHIMG research on the Microsoft Midnight Blizzard breach shows how identity abuse can persist after initial access, while the GitLocker GitHub extortion campaign reinforces that attackers frequently move straight from credential theft to destructive activity. Current guidance from the NIST Cybersecurity Framework 2.0 points organisations toward stronger detection and response around authenticated activity, not just stronger authentication at sign-in.
In practice, many security teams discover MFA weakness only after a valid session has already been abused, rather than through intentional testing.
How Attackers Get Around MFA in Practice
The core issue is that MFA proves a user completed a challenge; it does not guarantee the session remains trustworthy afterward. Attackers increasingly target the layer after authentication. They may use phishing kits that proxy the login in real time, steal browser storage, replay tokens from compromised endpoints, or abuse poorly protected recovery flows. Once the token is issued, many systems continue to accept it without re-checking device health, IP reputation, or user behaviour.
Security teams should think in terms of session control rather than one-time verification. That means:
- binding tokens to device or client context where feasible;
- using short-lived tokens and aggressive revocation for risky events;
- detecting impossible travel, atypical tool use, and unusual session duration;
- requiring step-up checks for high-risk actions, not just at login;
- monitoring for token theft and browser hijack indicators.
NHIMG guidance on the Ultimate Guide to NHIs — Standards is useful here because the same session and secret lifecycle issues that affect human accounts also apply to machine identities, where stolen tokens can be even harder to spot. For broader governance, NIST Cybersecurity Framework 2.0 emphasizes continuous protection and monitoring across the identity lifecycle, which is the right lens for these attacks. These controls tend to break down in high-trust environments with long-lived sessions, legacy apps, and weak revocation support because the service cannot reliably distinguish a legitimate user from a stolen but valid token.
Where the Control Model Needs to Change
Tighter authentication often increases user friction and operational overhead, requiring organisations to balance usability against stronger post-login enforcement. That tradeoff is real, but current guidance suggests the answer is not to weaken MFA; it is to complement it with stronger session governance and identity assurance.
Some environments are especially vulnerable. Remote work estates, unmanaged endpoints, browser-based SaaS access, and hybrid identity stacks make token theft easier and revocation slower. In those cases, best practice is evolving toward layered controls that include conditional access, PAM for privileged workflows, JIT elevation, and risk-based reauthentication for sensitive actions. There is no universal standard for this yet, but the direction is clear: authenticating once is not enough if the attacker can keep using what was issued.
For teams tracking identity abuse trends, the DeepSeek breach is a reminder that exposed secrets and compromised access paths can accelerate takeover far beyond password theft. The practical lesson is straightforward: reduce standing trust, shorten session lifetime, and treat every high-risk action as a fresh authorisation decision rather than a continuation of the original login.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Stolen tokens and weak rotation are classic NHI takeover paths. |
| NIST CSF 2.0 | PR.AC-4 | Session trust and privilege control map to access governance. |
| NIST AI RMF | Continuous monitoring and governance support risk-based identity decisions. |
Use AI RMF governance to require ongoing monitoring of authenticated behaviour and response thresholds.
