VFF - The signal in the noise
News

MFA Stops at Login. Attackers Start There.

Read original
Share
MFA Stops at Login. Attackers Start There.

MFA successfully authenticates users at login but provides no visibility into what happens after, creating a critical blind spot that attackers exploit through lateral movement and privilege escalation. A CIO at NOV discovered this architectural gap during operational testing, finding that session token theft, not credential compromise, is the primary vector in advanced attacks. With average breach breakout time now 29 minutes and 82% of 2025 detections involving no malware, attackers have shifted to stealing legitimate credentials and session tokens rather than deploying code.

  • MFA verifies identity at login but goes blind afterward, leaving lateral movement and privilege escalation undetected
  • Session token theft is now the primary attack vector, with average breakout time at 29 minutes and fastest at 27 seconds
  • Vishing attacks rose 442% in 2024, while AI-generated phishing matches human-crafted phishing at 54% click-through rates
  • Enterprises lack rapid token revocation capabilities at the resource level, creating a gap between IAM and SecOps

MFA has become table stakes for compliance but creates a false sense of security by stopping at authentication. The real threat operates post-login through stolen session tokens, which inherit all user permissions without triggering alerts or matching signatures. This architectural blind spot means most enterprises are protected at the front door while attackers operate freely inside.

Compliance dashboards showing green MFA metrics mask active breaches happening in real time. Organizations must shift from point-in-time authentication to continuous session validation and rapid token revocation, requiring new investments in identity infrastructure and cross-team coordination between IAM and security operations.

  • Session token management and revocation must become a core security control, not an afterthought in identity architecture
  • AI-powered social engineering has commoditized credential theft, making the credential supply chain an industrial-scale threat
  • Biometric and face-based authentication alone are insufficient due to deepfake attacks, requiring layered post-authentication controls
  • The gap between IAM teams and SecOps teams is where attackers operate undetected after successful login

Monitor how enterprises implement rapid token revocation at the resource level and whether identity platforms add continuous session validation. Watch for shifts in security budgets from authentication tools toward post-authentication monitoring and lateral movement detection. Track whether regulatory frameworks begin requiring session-level controls, not just MFA compliance.

Share

Subscribe to the newsletter

The latest stories and analysis, delivered to your inbox.

Free. No spam. Unsubscribe any time.

Related stories

Alibaba, ByteDance Halt AI Agent Features as China Tightens Rules

Alibaba, ByteDance Halt AI Agent Features as China Tightens Rules

Alibaba and ByteDance are halting personalized AI agent creation features in their chatbot apps as China prepares to enforce new regulations on humanlike AI interactions. ByteDance's Doubao, the country's most popular AI app by user count, and Alibaba's Qwen are among the services affected. The move reflects tightening regulatory oversight of AI capabilities in China.

by Henry Siu· The Information
Palantir CEO Claims Government Customers Fleeing to Open Source AI

Palantir CEO Claims Government Customers Fleeing to Open Source AI

Palantir CEO Alex Karp is positioning his company as a necessary intermediary layer between enterprises and AI providers like OpenAI and Anthropic. Following a CNBC appearance, Karp claimed some U.S. government customers have switched to open source AI alternatives, and accused major AI firms of data theft and overcharging. Palantir is marketing itself as a protective buffer that helps businesses and governments avoid risks from newer AI vendors.

by Phoebe Liu· The Information
Alibaba Bans Claude, Citing Security Concerns

Alibaba Bans Claude, Citing Security Concerns

Alibaba Group has banned employees from using Anthropic's Claude and ordered them to remove all Claude models from work computers, citing security concerns about Anthropic. The directive was communicated to some employees on Friday. The ban affects Alibaba's workforce and signals growing tension around AI tool adoption in large enterprises.

by Qianer Liu· The Information
OpenAI Proposes 5 Percent Government Stake to Ease Trump Tensions

OpenAI Proposes 5 Percent Government Stake to Ease Trump Tensions

OpenAI has proposed giving the US government a 5 percent ownership stake in the company as a way to ease tensions with the Trump administration and address public concerns about AI, according to the Financial Times. CEO Sam Altman reportedly pitched the idea to Trump early last year, arguing that giving the public a financial interest in the company would be the best way to share the upside of AI. Based on OpenAI's latest $852 billion valuation, the stake would be substantial.

by Robert Hart· The Verge AI
MFA Stops at Login. Attackers Start There. | VFF - The signal in the noise