They assume MFA always prevents account takeover. Real-time phishing kits can capture and replay codes before they expire, so replayable MFA only proves that a code was entered, not that the session is trustworthy. Organisations need phishing-resistant methods for accounts that can affect email, cloud, or admin systems.
Why This Matters for Security Teams
Attackers that harvest tokens live do not need to defeat MFA in the abstract. They only need to capture a valid code, push notification approval, or session artifact fast enough to replay it before the trust window closes. That shifts the real question from “Was MFA used?” to “Was the resulting session bound to the right device, user, and context?” Current guidance suggests that replayable MFA is a partial control, not a trustworthy endpoint for email, cloud console, or admin access.
This is why token theft should be treated as a session integrity problem, not just an authentication problem. NHI Management Group has documented how stolen OAuth credentials can be reused to reach downstream systems, including in the Salesloft OAuth token breach, and the broader pattern shows up across breaches where credentials are exposed in chat, tickets, and automation pipelines. The practical lesson is that controls focused only on the login event miss what happens after the login succeeds.
In practice, many security teams discover MFA weakness only after a session has already been replayed and the attacker has moved laterally through email or cloud admin tools.
How It Works in Practice
When live token harvesting is in play, the attacker is usually operating inside the user’s authentication flow. A phishing proxy, adversary-in-the-middle kit, or malicious browser layer captures the credential exchange, then reuses the live token or cookie immediately. If the organisation relies on one-time codes or push approvals alone, the attacker can often establish a session that looks legitimate to downstream services. CISA’s cyber threat advisories repeatedly emphasise phishing-resistant authentication for this reason.
What matters operationally is whether the session is bound to something the attacker cannot replay:
- Phishing-resistant MFA such as FIDO2 or passkeys that resist proxy capture.
- Device-bound or token-bound sessions that reduce simple replay value.
- Short-lived access with rapid reauthentication for sensitive actions.
- Step-up verification for privileged operations, not just initial sign-in.
- Continuous session review for abnormal IP, device, geo, or tool-use patterns.
For NHI-heavy environments, the same principle applies to service accounts and delegated access: the login event is less important than whether a token can be reused elsewhere. NHI Management Group’s 52 NHI Breaches Analysis shows how reused credentials and exposed tokens turn a single compromise into broad platform access. The operational goal is to make stolen tokens useless quickly, not merely to make login slightly harder.
These controls tend to break down in legacy SSO environments that issue long-lived sessions to many downstream apps because token replay remains valid long after the original MFA event.
Common Variations and Edge Cases
Tighter authentication often increases friction for users and support teams, so organisations must balance phishing resistance against usability and recovery complexity. There is no universal standard for this yet, especially where workforce identity, contractor access, and machine access are mixed in the same SSO boundary. Best practice is evolving toward different authentication strength for different risk tiers rather than one MFA policy for all users.
High-risk accounts need stricter treatment than ordinary users. Admins, finance roles, mailbox delegates, and cloud operators should use phishing-resistant methods and shorter session lifetimes. For lower-risk workflows, a weaker MFA method may still be acceptable if paired with device posture checks and fast revocation. The challenge is that live token theft often bypasses the “second factor” entirely once the session is established, which means token hygiene and revocation matter as much as the authentication method itself.
NHIMG research shows the scale of exposure that makes this urgent. In the Ultimate Guide to NHIs, token and secret sprawl are not treated as edge cases because leaked credentials frequently outlive the incident that exposed them. That same reality applies to human sessions when an attacker can harvest and replay them live.
Phishing-resistant MFA helps, but it does not solve environments where shared devices, kiosk access, or deeply embedded legacy applications prevent strong session binding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Token replay and session hijack are core auth failures in agentic and interactive systems. |
| CSA MAESTRO | IAM-1 | Addresses identity assurance and session trust for autonomous and cloud-hosted workloads. |
| NIST AI RMF | GOVERN | Session trust and token misuse need explicit governance and accountability controls. |
Use phishing-resistant authentication and bind sessions to context so captured tokens cannot be replayed.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
