Notifications
Clear all
Topic starter
04/06/2026 6:48 pm
TL;DR: Man-in-the-middle attacks are increasingly used to intercept credentials, session tokens, and network traffic, and HYPR argues that phishing-resistant passwordless MFA removes the secret an attacker can steal, while CISA and other bodies treat FIDO-based authentication as the gold standard. The decisive issue is not just stronger login, but eliminating replayable factors from the access path.
NHIMG editorial — based on content published by HYPR: How to Prevent Man-in-the-Middle Attacks
Questions worth separating out
Q: How should security teams prevent man-in-the-middle attacks on remote access?
A: Start with phishing-resistant MFA for the access path that matters most, especially VPN and SSO entry points.
Q: Why do phishing-resistant credentials reduce man-in-the-middle risk?
A: They reduce risk because the attacker cannot simply relay or copy the authentication proof in transit.
Q: What breaks when organisations rely on passwords and OTPs for high-risk access?
A: What breaks is replay resistance.
Practitioner guidance
- Deploy phishing-resistant MFA for privileged and remote access Require FIDO-based authentication for administrators, contractors, and high-risk users first, then expand to broader populations where the access path touches sensitive systems.
- Eliminate replayable credentials from high-value flows Replace OTPs, SMS codes, and push approvals with factors that cannot be relayed through an attacker-controlled intermediary.
- Treat session tokens as governed identity artefacts Inventory where session cookies, bearer tokens, and long-lived refresh artefacts are stored, logged, or forwarded.
What's in the full article
HYPR's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on recognising IP spoofing, ARP spoofing, SSL stripping, and rogue access points in the field.
- Practical examples of how phishing-resistant passwordless MFA changes the attack surface for VPNs and remote access.
- Specific browser, WiFi, and network hygiene checks that help prevent interception in everyday environments.
- HYPR's implementation framing for passwordless MFA across desktop access and application sign-in.
👉 Read HYPR's guide to preventing man-in-the-middle attacks with passwordless MFA →
MitM attacks and passwordless MFA: are your controls keeping up?
Explore further
04/06/2026 7:01 pm
Phishable authentication is the governance assumption MitM attacks exploit. The control model assumes a user or system proves identity directly to the service, but a man-in-the-middle inserts a relay that turns that proof into a transferable artefact. That assumption fails whenever authentication depends on reusable secrets, OTPs, or session tokens that can be copied in transit. The implication is that identity assurance must be judged by replay resistance, not by login success alone.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when a man-in-the-middle attack succeeds through weak authentication?
A: Accountability sits with the identity and access programme that allowed a phishable factor to remain the primary trust mechanism for sensitive access. Security teams, IAM owners, and application owners share responsibility for removing replayable proof, because the failure is architectural, not just user behaviour. Frameworks that demand strong authentication and Zero Trust assumptions make that responsibility explicit.
👉 Read our full editorial: Passwordless identity assurance and MitM risk in enterprise access
