2. We trust session cookies too much
Once MFA is completed, most organisations treat the resulting session as sacred. The user proved who they are, so we let them work. But session cookies are bearer tokens — whoever holds them is the authenticated user. There is no binding between the cookie and the device that generated it. There is no fingerprint. There is no anchor. An attacker who steals a session cookie from London can replay it from an entirely different location, and the identity provider will accept it as the legitimate user. Research from Silverfort demonstrated that even after successful FIDO2 authentication, many identity providers remain vulnerable to session hijacking because the session tokens created after authentication are not adequately protected.
3. We react to credential theft, not session theft
Incident response playbooks are built around compromised passwords: Force a reset, revoke tokens, re-enroll MFA. But in an adversary-in-the-middle attack, the password is not the primary concern — the session is. Industry reports consistently show response teams resetting passwords and considering the case closed, while attackers continue operating on stolen sessions for days. If you are not revoking all active sessions and monitoring for session replay, you are not actually remediating the compromise.
What actually works
The uncomfortable truth is that traditional MFA — push notifications, SMS codes, authenticator apps — cannot defend against adversary-in-the-middle phishing. The authentication succeeds because it is real authentication. The attacker simply observes and copies the result. Here is what actually makes a difference.
