← All writing

Infrastructure & Security Simplified

You turned on MFA. The stolen session didn't care.

There’s a comfortable belief doing the rounds in boardrooms: we have multi-factor authentication, so identity is handled. It’s a good control and worth having. It is also not the finish line it gets mistaken for.

Here is the gap, in plain terms. A lot of credential theft now doesn’t bother cracking passwords at all. Malware lands on someone’s laptop, often through something as dull as a fake document or a dodgy download, and quietly lifts what the browser has already saved. Not just passwords, but the session tokens and cookies that prove you have already logged in. Hand an attacker a live session token and they need neither your password nor your second factor. The system already believes the session is you. They walk in through a door you opened and never closed.

This is why “we have MFA” and “we are secure on identity” are not the same sentence. MFA guards the moment of logging in. It does very little about a session that is already authenticated and has been lifted wholesale. The control is real, but it is watching one specific door while a window stands open.

None of this means MFA was a waste. It means the job didn’t end when you switched it on. Shorter session lifetimes, so a stolen token goes stale before it’s much use. Phishing-resistant methods like passkeys, which don’t leave a reusable secret lying around. An eye on the same account appearing in two countries within the hour. And, less glamorously, keeping the laptops those sessions live on clean, because that is where the theft actually happens.

The uncomfortable version is simple. The strongest lock on the front door is no help if someone is already inside wearing your coat. Identity security is something you keep doing, not something you finished buying.

  • #CyberSecurity
  • #MFA
  • #IdentitySecurity
  • #InfoSec

Written by Mandeep Singh. More at the writing index or get in touch.