Menu
Log in
Forgot password
Log in
Forgot password

Modern Identity Security: What Actually Stops Attacks

01/26/2026 3:49 PM | Marla Halley (Administrator)

As organizations rapidly move applications and data to cloud platforms, cloud identity providers have replaced the network perimeter as the primary security boundary. Compromising a single account can provide broad access, making identity one of the highest-value targets for attackers.

Multi-factor authentication (MFA) was once the most effective defense against account takeover. Today, it remains necessary—but it is no longer sufficient without additional steps.

What MFA Was Built to Prevent

Traditional phishing attacks focused on stealing credentials. Users were tricked into entering a username and password into a fake website, which attackers then reused to log in to the real service.

MFA disrupted this model. Even with stolen credentials, attackers could not complete authentication without access to the second factor. For years, this significantly reduced phishing-related compromises.

That protection assumed attackers were outside the authentication flow. Modern attacks no longer operate under that assumption.

How Adversary-in-the-Middle Attacks Bypass MFA

Adversary-in-the-Middle (AiTM) phishing shifts the attack from credential theft to session theft.

Instead of sending users to a fake login page, attackers proxy the real sign-in experience. The victim authenticates to the legitimate service and completes MFA normally. Behind the scenes, the attacker relays all traffic and captures the resulting session token.

Session tokens prove that authentication has already occurred. Once issued, they allow access without requiring the password or MFA again. If an attacker steals the token, MFA is effectively bypassed.

A Typical AiTM Attack Flow

  1. The user receives a phishing email designed to create urgency.
  2. Clicking the link routes the user through attacker-controlled infrastructure.
  3. The attacker proxies the real login service.
  4. The user enters credentials and completes MFA.
  5. The identity provider issues a session token.
  6. The attacker captures and replays the token to access the account.

From the identity provider’s perspective, the attacker’s session is valid. Authentication already succeeded.

Why Traditional MFA Falls Short

Most MFA methods—SMS codes, authenticator apps, and push approvals—can be relayed in real time. AiTM attacks exploit this by forwarding challenges and responses between the victim and the real service.

Because the session token is issued after MFA is completed, MFA alone does not prevent token theft or reuse. Defending against AiTM requires controls that either prevent token capture or limit token usability.

Controls That Actually Reduce Risk

Phish-Resistant Authentication

FIDO2 security keys, passkeys, and certificate-based authentication are resistant to relay attacks. These methods cryptographically bind authentication to the legitimate service and cannot be replayed through a proxy.

Device-Based Access Controls
Requiring trusted devices adds a second enforcement layer. During the login process, the identity provider does an additional check to validate it is a trusted device and not an attacker’s proxy server.

Session Token Protection
Short session lifetimes, token binding, and continuous access evaluation reduce the value of stolen tokens and limit attacker dwell time.

Continuous Detection
Identity Threat Detection and Response (ITDR) tools identify anomalous behavior such as unfamiliar devices or impossible travel, enabling rapid containment when prevention fails.

Conclusion

MFA is no longer a complete defense against modern identity attacks. Adversary-in-the-Middle demonstrates that attackers can bypass authentication by stealing sessions instead of credentials.

Effective identity security requires layered controls that reflect how attacks occur: phish-resistant authentication, device trust, hardened sessions, and continuous monitoring.

Identity is now the perimeter. Defending it requires more than a second factor.

About the Author

Chaim Black is a Cyber Security Manager at Intrust IT. He is focused on delivering resilient security operations. He leads day-to-day security team execution while strengthening internal security posture and compliance. Chaim also serves as President of InfraGard Cincinnati, part of the FBI-private sector partnership advancing information sharing and cyber risk awareness.

MEET OUR PARTNERS

Our Cornerstone Partners share a common goal: to connect, strengthen, and champion the technology community in our region. A Technology First Partner is an elite member leading the support, development, and expansion of Technology First services. In return, Partners improve community visibility and increase their revenue. Make a difference in our region and your business.

CHAMPION PARTNER

The McCracken Group (TMG) is proud to be a Champion Partner of Technology First. We share a commitment to education, collaboration, and empowering technology professionals across our tech region. Together, guided by our core values, Doing the Right Thing, Always Learning, Building Strong Relationships, and Giving Back, we’re helping advance innovation and continuous growth across our region’s tech community.
The McCracken Group

CORNERSTONE PARTNERS

Afidence logo ATC logo Caresource logo Image 10 Image 11 Image 12 Image 13 Image 14 Image 15 Image 16 ifnetwork logo emerge logo expedient logo MoM CoBrand logo Afidence logo ATC logo Caresource logo Image 10 Image 11 Image 12 Image 13 Image 14 Image 15 Image 16 ifnetwork logo emerge logo expedient logo MoM CoBrand logo Afidence logo ATC logo Caresource logo Image 10 Image 11 Image 12 Image 13 Image 14 Image 15 Image 16 ifnetwork logo emerge logo expedient logo MoM CoBrand logo
© 2026 Technology First. All rights reserved.