Passwordless identity assurance and MitM risk in enterprise access

At a glance

What this is: This is a practitioner guide to man-in-the-middle attack prevention, with the key finding that passwordless, phishing-resistant MFA reduces interception risk by removing reusable credentials from the authentication flow.

Why it matters: It matters because MitM techniques still target human login flows, remote access, and session tokens, and those same weaknesses can also expose NHI and autonomous access paths when secrets or approvals are replayable.

👉 Read HYPR's guide to preventing man-in-the-middle attacks with passwordless MFA

Context

Man-in-the-middle attacks work by inserting an attacker between two parties so traffic, tokens, and credentials can be observed or altered in transit. In identity terms, that means the control gap is not always at the password prompt, but at the point where authentication factors, sessions, or network trust can be replayed.

For IAM teams, the practical issue is that MitM techniques still bypass many familiar controls when the factor can be phished, relayed, or intercepted. That makes phishing-resistant authentication relevant not only to human sign-in, but also to any access pattern that still depends on reusable secrets, including service accounts and remote access paths.

Key questions

Q: How should security teams prevent man-in-the-middle attacks on remote access?

A: Start with phishing-resistant MFA for the access path that matters most, especially VPN and SSO entry points. Then remove reusable secrets from the workflow, enforce TLS everywhere, and treat public WiFi and unmanaged endpoints as hostile by default. Network controls help, but identity proof must be non-replayable if you want the attack to fail at the authentication layer.

Q: Why do phishing-resistant credentials reduce man-in-the-middle risk?

A: They reduce risk because the attacker cannot simply relay or copy the authentication proof in transit. With public-key-based authentication, the private key stays on the device and the response is cryptographically bound to the challenge, which prevents the typical interception-and-replay path used in MitM attacks. That shifts security from secret sharing to proof of possession.

Q: What breaks when organisations rely on passwords and OTPs for high-risk access?

A: What breaks is replay resistance. Passwords, SMS codes, and many push workflows can be intercepted, relayed, or socially engineered, which means a malicious intermediary can still complete the login and reuse the session. Once that happens, the attacker no longer needs to defeat the application, because the identity proof has already been compromised.

Q: Who is accountable when a man-in-the-middle attack succeeds through weak authentication?

A: Accountability sits with the identity and access programme that allowed a phishable factor to remain the primary trust mechanism for sensitive access. Security teams, IAM owners, and application owners share responsibility for removing replayable proof, because the failure is architectural, not just user behaviour. Frameworks that demand strong authentication and Zero Trust assumptions make that responsibility explicit.

Technical breakdown

How man-in-the-middle attacks intercept identity signals

A MitM attack succeeds when the attacker can position between the user and the legitimate endpoint, then relay or alter messages without either side realising it. The attack surface includes DNS, WiFi, browser traffic, and session tokens. In identity terms, the attacker is not always breaking the login itself. They are often stealing the artefact that proves the login already happened, such as a session cookie, OTP, or bearer token. That is why these attacks often bypass downstream security monitoring: the session appears legitimate after the fact.

Practical implication: eliminate reusable authentication artefacts wherever possible and treat session tokens as high-value secrets.

Why phishing-resistant MFA blocks relay attacks

Phishing-resistant MFA changes the trust model by binding authentication to public-key cryptography rather than a code or password that can be copied and replayed. Because the private key stays on the device and the challenge is cryptographically signed, the attacker cannot simply proxy or steal the factor in transit. This is why standards bodies favour FIDO-based authentication for high-assurance access. The key point is not just stronger MFA, but MFA whose proof cannot be replayed through an attacker-controlled intermediary.

Practical implication: prioritise phishing-resistant factors for privileged users, remote access, and any workflow that depends on high-value identity assurance.

Why VPNs and intrusion detection are not enough on their own

VPNs can encrypt traffic, and intrusion detection can spot some anomalies, but neither removes the core trust problem if the authentication factor is still phishable. MitM attacks often begin before the network control can help, especially on unmanaged endpoints or public WiFi. Once the attacker has the session, they can act as the legitimate user, and many detections will see only valid traffic. That is why network defence must be paired with identity assurance that does not depend on secrets that can be relayed.

Practical implication: treat network controls as a compensating layer, not the primary defence against identity interception.

Threat narrative

Attacker objective: The attacker wants to impersonate a legitimate user or service well enough to steal data, redirect transactions, or extend access without triggering obvious authentication failures.

1. Entry occurs when the attacker inserts a fake access point, spoofs DNS, or positions a browser compromise between the user and the target service.
2. Credential access happens when the attacker captures reusable secrets such as passwords, session cookies, OTPs, or intercepted authentication traffic.
3. Impact follows when the attacker reuses the captured identity artefact to impersonate the user, access email, or trigger transactions as the legitimate party.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishable authentication is the governance assumption MitM attacks exploit. The control model assumes a user or system proves identity directly to the service, but a man-in-the-middle inserts a relay that turns that proof into a transferable artefact. That assumption fails whenever authentication depends on reusable secrets, OTPs, or session tokens that can be copied in transit. The implication is that identity assurance must be judged by replay resistance, not by login success alone.

Session security is now part of identity governance, not just application hardening. MitM attacks target the space after initial authentication, where many programmes still treat the session as a technical detail outside IAM scope. In practice, the session is the identity control plane for the rest of the transaction. When the session can be hijacked, governance has already failed even if the password policy was strong.

Public-key authentication changes the attacker economics more than it changes the user experience. The point is not convenience as a feature claim. The point is that cryptographic possession proofs remove the secret the attacker needs to relay, which narrows the viable attack surface across human sign-in and any non-human access path that still relies on phishable factors. Practitioners should treat replay resistance as a core identity design criterion.

Remote access is where identity and network trust collapse into the same problem. The article correctly notes that remote workers on unsecured networks are exposed, but the deeper issue is that network perimeter assumptions no longer contain the identity threat. Once access is granted through a phishable factor, VPN encryption may protect transit while leaving the credential model intact. The practical conclusion is that access architecture must assume hostile intermediaries by default.

For NHI and autonomous workflows, MitM prevention is really secret non-replayability. Service accounts, API tokens, and agent credentials fail in the same way as human MFA when the proof can be intercepted and reused. That makes passwordless and key-bound assurance relevant beyond human IAM, especially where machine-to-machine access still depends on bearer-style credentials. The implication is to treat replayable identity proof as a structural flaw across all actor types.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• That pattern is explored further in 52 NHI Breaches Analysis, which shows how long-lived credentials extend attacker dwell time across identity layers.

What this signals

Replay resistance is becoming a baseline control, not an advanced option. As more access flows depend on remote work, federated sign-in, and mixed human-machine sessions, any factor that can be intercepted becomes a structural weakness. Teams should expect phishing-resistant authentication to move from privileged access into broader identity assurance programmes, especially where session theft is the real objective. The Ultimate Guide to NHIs , Why NHI Security Matters Now helps place that shift in the wider machine-identity context.

Session governance will matter more than login policy. MitM attacks show that the risky moment often begins after authentication, when the session becomes the de facto identity. Organisations that still treat session artefacts as an application concern will struggle to defend against relay attacks, cookie theft, and token reuse. That is why the control conversation now extends into NIST's Zero Trust model, where identity is continuously verified rather than assumed after the first check: NIST Cybersecurity Framework 2.0.

For practitioners

• Deploy phishing-resistant MFA for privileged and remote access Require FIDO-based authentication for administrators, contractors, and high-risk users first, then expand to broader populations where the access path touches sensitive systems. Use this as the default for VPN, SSO, and admin portals, because those are the places attackers most often target with relay attacks.
• Eliminate replayable credentials from high-value flows Replace OTPs, SMS codes, and push approvals with factors that cannot be relayed through an attacker-controlled intermediary. For non-human access, remove bearer-style secrets from workflows wherever a stronger device-bound or workload-bound identity pattern is possible.
• Treat session tokens as governed identity artefacts Inventory where session cookies, bearer tokens, and long-lived refresh artefacts are stored, logged, or forwarded. Add rotation, scope limits, and revocation paths so a stolen session does not become a durable access path.
• Harden remote access against hostile intermediaries Assume users may connect from public WiFi, rogue access points, or unmanaged endpoints. Pair identity controls with device posture checks, TLS enforcement, and network monitoring, but do not rely on those layers to compensate for phishable authentication.

Key takeaways

• MitM attacks succeed by turning identity proof into a relayable artefact, which means login strength alone is not enough.
• The scale of the risk extends beyond passwords to sessions, OTPs, and remote access paths that attackers can intercept or reuse.
• Phishing-resistant MFA and non-replayable identity proof are the controls that most directly reduce this attack class.

Key terms

• Man-in-the-Middle Attack: An attack in which the adversary positions between two communicating parties and relays or alters traffic without immediate detection. In identity terms, the danger is that authentication proof, session data, or tokens can be intercepted and reused, making the access appear legitimate even though the path is controlled by the attacker.
• Phishing-Resistant MFA: A multi-factor authentication method that cannot be easily phished, proxied, or replayed through an intermediary. It typically uses cryptographic proof tied to the authenticating device, which means the attacker cannot copy a code or intercept a factor and complete the login elsewhere.
• Session Token: A temporary credential that confirms a user or service has already authenticated and is allowed to continue using an application. Because tokens often outlive the initial login step, they become high-value targets when attackers want to bypass the authentication screen and act as the legitimate identity.
• Replayable Credential: Any authentication factor or proof that can be captured and used again by an attacker, such as a password, OTP, bearer token, or session cookie. These credentials create risk because the proof itself is transferable, which weakens identity assurance in hostile network conditions.

Deepen your knowledge

Man-in-the-middle prevention and phishing-resistant MFA are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising identity assurance for remote access or machine credentials, it is worth exploring.

This post draws on content published by HYPR: How to Prevent Man-in-the-Middle Attacks. Read the original.