MFA verifies who logged in. It has no idea what they do next.
Summary
Multi-Factor Authentication (MFA) provides insufficient security against modern cyber threats because it only verifies identity at login, creating a critical blind spot for post-authentication activities. Attackers exploit this architectural flaw by stealing legitimate session tokens to perform lateral movement and privilege escalation, often without deploying malware. CrowdStrike's 2026 Global Threat Report highlights a dramatic decrease in e-crime breakout times, averaging 29 minutes in 2025, with the fastest recorded at 27 seconds. AI-powered social engineering, including a 442% surge in vishing and a 1,300% rise in deepfake fraud in 2024, has made credential theft highly scalable. NOV CIO Alex Philips identified this gap, leading his team to implement rapid token revocation, shorten token lifetimes, enforce conditional access, and establish separation of duties to mitigate risks. This approach transformed their security posture, demonstrating that post-authentication session governance is crucial.
Key takeaway
For CIOs and CISOs evaluating your organization's identity security posture, recognize that MFA is merely a starting point. Your current authentication systems likely have an architectural blind spot, allowing attackers to exploit stolen session tokens post-login. You must prioritize implementing rapid session token revocation, shortening token lifetimes, and extending conditional access beyond initial authentication. Failing to address this gap leaves your enterprise vulnerable to fast-moving, malware-less attacks, as demonstrated by breakout times as low as 27 seconds.
Key insights
MFA alone is insufficient; post-authentication session governance is critical to counter advanced, token-based attacks.
Principles
- Authentication is a point-in-time check.
- Stolen session tokens bypass MFA.
- Security perimeters must extend beyond login.
Method
NOV implemented rapid token revocation, shortened token lifetimes, enforced conditional access, and established separation of duties, supported by AI-driven log analysis.
In practice
- Shorten interactive session token lifetimes to hours.
- Extend conditional access beyond initial login.
- Replace SMS/push MFA with FIDO2/passkeys.
Topics
- Session Token Theft
- Multi-Factor Authentication
- Identity and Access Management
- Conditional Access
- Rapid Token Revocation
- Zero Trust Architecture
Best for: AI Security Engineer, Security Engineer, CTO
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.