MFA Isn’t a Silver Bullet: Session Hijacking, Token Theft, and the New Identity Attack Chain

By

George A Vina

Most leaders ask, “Do we have MFA enabled?”

In 2026, the better question is: “Can we trust this session after login?”

Why MFA alone is no longer enough

Attackers increasingly steal authenticated browser sessions and tokens. That means access can look legitimate in logs, even when it is malicious.

This is why organizations with “great MFA adoption” still get breached.

Authentication is a moment. Trust should be continuous.

Use phishing-resistant methods for high-risk users and admin paths.

Require compliant devices for sensitive apps. Challenge impossible-travel and anomalous behavior.

Shorten session windows where risk is highest. Revoke sessions quickly during suspicion, offboarding, or role changes.

Patch browsers aggressively, reduce local admin rights, and monitor suspicious extension behavior.

“User passes MFA from New York, then mailbox rules are created from a new device in another region within minutes.”

Can your team detect and revoke that session fast?

MFA remains mandatory. But modern identity security is about detection + containment speed after authentication.

CISA phishing-resistant MFA: https://www.cisa.gov/resources-tools/resources/implementing-phishing-resistant-mfa
NIST SP 800-63: https://pages.nist.gov/800-63-3/
Microsoft security guidance: https://learn.microsoft.com/security/