Why MFA alone can't stop modern identity-based breaches

In today’s threat landscape, attackers no longer need to crack passwords or bypass authentication systems. They can simply wait for a legitimate user to log in, steal their session token, and walk right into the network. This isn’t a flaw in multi-factor authentication (MFA)—it’s a fundamental limitation in how most organizations treat identity verification.

Organizations invest heavily in authentication, ensuring every login passes MFA checks and compliance dashboards gleam green. Yet, once authenticated, the system often fails to monitor what happens next. Attackers exploit this blind spot, using stolen session tokens to escalate privileges, move laterally through Active Directory, and eventually reach the domain controller—all while operating under the guise of a verified user.

The session token: A golden ticket for attackers

Alex Philips, CIO at NOV, uncovered this vulnerability during operational testing. "We discovered a critical gap in our ability to revoke legitimate session tokens at the resource level," Philips explained. "Resetting a password isn’t enough anymore. You must revoke session tokens instantly to stop lateral movement."

Philips’ team found that once a user authenticates successfully, the resulting session token acts as a bearer credential—whoever holds it inherits all associated permissions. This architectural blind spot exists in nearly every enterprise identity stack. The token’s trust persists until expiration, leaving networks exposed to token theft and misuse. NOV’s findings confirmed that session token theft is a primary vector in advanced attacks, prompting the company to overhaul its identity policies, enforce conditional access, and implement rapid token revocation.

The rise of identity-based attacks over malware

Attackers have shifted tactics, abandoning malware in favor of stolen identities. According to CrowdStrike’s 2026 Global Threat Report, the average time to breach dropped to just 29 minutes in 2025, with the fastest recorded attack clocking in at 27 seconds. In 82% of detections that year, no malware was deployed at all.

"Adversaries have realized that stealing legitimate credentials or using social engineering is one of the fastest ways to gain access," said Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike. Modern endpoint detection makes malware deployment riskier and more costly, while stolen credentials trigger no alerts, match no signatures, and provide immediate, undetected access.

Social engineering attacks have surged alongside this shift. Vishing attacks grew by 442% between the first and second halves of 2024, while deepfake fraud attempts rose over 1,300% in 2024, according to Pindrop’s 2025 Voice Intelligence & Security Report. Face swap attacks increased by 704% in 2023. A 2024 study cited in CrowdStrike’s 2025 Global Threat Report found that AI-generated phishing emails achieved a 54% click-through rate—nearly matching expert-crafted human phishing and far outperforming generic bulk phishing at 12%.

The danger isn’t that AI makes individual attackers more formidable; it’s that AI democratizes expert-level social engineering at scale, turning credential theft into an industrialized process.

The identity blind spot between IAM and SecOps

As threats evolve, so do the gaps in defense strategies. By 2026, Gartner predicts that 30% of enterprises will consider face-based identity verification and biometric authentication unreliable in isolation due to AI-generated deepfakes. This forecast highlights a growing distrust in static authentication methods.

Kayne McGladrey, IEEE Senior Member, emphasized the need to reframe cybersecurity as a business risk rather than a technical problem. "Cybersecurity risks are often mislabeled," he noted. "If it doesn’t impact the business—like financial loss—it won’t get proper attention or budget. Session governance, token lifecycle management, and cross-domain identity correlation fall into a gap between IAM and SecOps because no one owns the risk."

Mike Riemer, Field CISO at Ivanti, has observed this disconnect across two decades of shifting security paradigms. "Until I validate not just who you are but what you’re doing, I can’t trust the interaction," he explained. Cross-domain visibility is critical, as the best-case scenario offers only about 29 minutes to detect and contain an intrusion before damage escalates.

Organizations must move beyond MFA-centric security models. Real-time session monitoring, conditional access policies, and rapid token revocation aren’t optional—they’re essential to closing the gaps that attackers exploit today.