Most organizations view multi-factor authentication (MFA) as a critical layer of defense against unauthorized access—and rightfully so. It’s a powerful security measure that significantly raises the bar for attackers. But like any control, it’s not foolproof.
In this week’s Tech Talk Tuesday, we dive into where MFA starts to fall short—especially against nation-state and advanced persistent threat (APT) actors—and what additional steps you can take to strengthen your defenses.
At its core, MFA works by requiring at least two of the following:
Something you know – Usually your password.
Something you have – Such as a mobile authenticator app or a hardware security key (e.g., YubiKey).
Something you are – Biometric identifiers like fingerprints or retinal scans.
The assumption is that combining multiple factors significantly reduces the chances of unauthorized access. And in most cases, that holds true. But as we’ll see, the story doesn’t end at authentication.
One of the more secure MFA standards is Universal 2nd Factor (U2F). This open standard, developed by several major tech players, powers many hardware tokens used today.
Here’s how it typically works:
A user logs in with their username and password.
They are prompted to present their hardware key (via USB or NFC).
The key provides a cryptographically secure signature, which completes the login process.
This method offers robust protection—on paper. However, the problem doesn’t lie in the login process itself, but in what happens after you’re authenticated.
The hard truth is that even with MFA in place, attackers can bypass it altogether—not by cracking the authentication process, but by stealing what comes next: session cookies.
Once a user is authenticated, their session is typically maintained using a cookie. If an attacker gets access to that cookie, they can impersonate the user without needing credentials or triggering MFA again.
APT groups like APT29 (Cozy Bear) and APT37 (linked to North Korea) have leveraged this exact technique in real-world campaigns. Toolkits like Primeware even automate the process.
Here’s a simplified look at how an attacker might pull this off on a Chromium-based browser (Chrome, Brave, Microsoft Edge, etc.):
Launch the browser in developer mode – This gives elevated access to internal browser data.
Enumerate active pages – The attacker queries the browser for open tabs and associated data.
Extract cookies – They retrieve session cookies from active sessions, such as your email or company portal.
These stolen cookies can then be used on another device to hijack a session—with no need for credentials or MFA prompts.
This method is disturbingly simple and works against even major browsers like Microsoft Edge, which many enterprises rely on.
Whether or not an attacker can make use of a stolen cookie depends on how the web application handles session tracking. Unfortunately, many don’t do it well.
Some applications do attempt to tie a session to an IP address or location. For example, if your IP suddenly jumps from New York to Tokyo, a well-designed system might flag and invalidate the session.
But others don’t. VPN users regularly change locations, so many services are lax with this kind of validation to avoid frustrating legitimate users.
Similarly, cookie lifespans vary widely—from hours to months. That means a stolen cookie might offer long-term access unless the session is actively managed or timed out.
We’ve tested this technique ourselves, with client permission, against major applications that rely on MFA. It works. And not just against small or poorly designed platforms—some very well-known services are still vulnerable to cookie-based session hijacking.
So what can you do to defend against cookie hijacking, especially in environments where MFA is already deployed?
The point here isn’t to abandon MFA. It’s a vital layer of protection and remains a must-have for any organization. Even insurers now require 2FA before issuing or renewing cyber liability policies.
Never assume that a session is secure just because it began with MFA. If a session cookie is hijacked, attackers bypass MFA entirely. Monitoring session behavior is essential.
Determine how much visibility your web services provide into active sessions. Can you track IPs, device fingerprints, or unusual access patterns? Implement anomaly detection for things like concurrent logins from different countries.
Shorten session timeouts, tie sessions to specific client characteristics, and consider invalidating sessions when suspicious activity is detected (e.g., a new login from an unexpected location).
Both web server logs and host-based telemetry can help you spot cookie hijacking attempts. Look for signs like duplicate session tokens being used from different endpoints.
Multi-factor authentication is a powerful tool—but like any security measure, it’s not bulletproof. Session management often becomes the weakest link, especially when targeted by advanced threat actors.
By combining MFA with strong session controls, anomaly detection, and proactive threat hunting, you can close the gap and make it much harder for attackers to gain or maintain access.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
