2. We belief session cookies an excessive amount of
As soon as MFA is accomplished, most organisations deal with the ensuing session as sacred. The person proved who they’re, so we allow them to work. However session cookies are bearer tokens — whoever holds them is the authenticated person. There isn’t a binding between the cookie and the system that generated it. There isn’t a fingerprint. There isn’t a anchor. An attacker who steals a session cookie from London can replay it from a wholly totally different location, and the identification supplier will settle for it because the legit person. Analysis from Silverfort demonstrated that even after profitable FIDO2 authentication, many identification suppliers stay susceptible to session hijacking as a result of the session tokens created after authentication are usually not adequately protected.
3. We react to credential theft, not session theft
Incident response playbooks are constructed round compromised passwords: Drive a reset, revoke tokens, re-enroll MFA. However in an adversary-in-the-middle assault, the password is just not the first concern — the session is. Business studies constantly present response groups resetting passwords and contemplating the case closed, whereas attackers proceed working on stolen classes for days. If you’re not revoking all energetic classes and monitoring for session replay, you aren’t truly remediating the compromise.
What truly works
The uncomfortable reality is that conventional MFA — push notifications, SMS codes, authenticator apps — can not defend towards adversary-in-the-middle phishing. The authentication succeeds as a result of it’s actual authentication. The attacker merely observes and copies the end result. Here’s what truly makes a distinction.
