TL,DR:
- While passwordless authentication eliminates credential theft, it remains vulnerable to session hijacking, where attackers steal post-login tokens via malware to bypass MFA and passkeys entirely.
- Compromised session tokens allow adversaries to "replay" valid sessions, granting them full access to deploy ransomware or steal data without ever needing a password.
- Security teams must move beyond login protection by implementing technical controls like IP binding and short timeouts, while proactively monitoring the dark web for stolen session artifacts.
It’s not just account credentials that are at stake anymore; the definition of “credentials” now encompasses all authentication entry points into an account – including session tokens and cookies that persist after authentication. As enterprises adopt passwordless authentication to eliminate password-based attacks, a critical vulnerability remains: session hijacking. This attack bypasses passwordless methods entirely by targeting the session artifacts created after successful authentication.
What is session hijacking?
Session hijacking, or cookie hijacking, is a cyberattack where an attacker steals a user’s session identifier to gain unauthorized access to an authenticated web session. This allows them to impersonate a legitimate user without needing a password or passing an MFA challenge.
What is passwordless authentication?
Passwordless authentication verifies a user’s identity without requiring a memorized secret like a password. This shift is meant to eliminate password-related vulnerabilities like phishing and credential stuffing.
Common methods rely on something the user has or is:
- Cryptographic keys (passkeys, WebAuthn)
- Biometrics (fingerprint, Face ID)
- One-time codes (magic links, push notifications)
Why session hijacking threatens passwordless security
Most enterprises are underestimating session hijacking, viewing passwordless authentication as a complete solution. As passwordless adoption grows, attackers simply shift their focus from stealing passwords to stealing the session tokens created after authentication.
This attack bypasses the initial login, rendering even strong methods like MFA and passkeys ineffective. With a stolen session token, attackers gain full access to do anything the legitimate user can, from stealing data to deploying ransomware.
How session hijacking bypasses passwordless authentication
The vulnerability exists because authentication and session management are separate processes. A user authenticates once with a passkey, and the application then issues a session token to maintain the logged-in state.
- The Bypass Mechanism: An attacker with malware on the user’s device steals this token from the browser’s storage and ‘replays’ it from their own machine. The application sees a valid session and grants access, never prompting for the passkey or MFA again.
Common session hijacking attack vectors
Malware-stolen session cookies
This is the most prevalent vector, driven by infostealer malware like RedLine, Raccoon, and Lumma. This malware exfiltrates session tokens directly from browser storage on infected devices. These stolen sessions are then packaged and sold on dark web marketplaces.
Man-in-the-middle (MitM) attacks
In a MitM attack, an adversary intercepts communication between a user and a server, often on unsecured Wi-Fi. If the connection is not properly encrypted, the attacker can capture session tokens as they are transmitted in transit.
Cross-site scripting (XSS)
Attackers can exploit vulnerabilities in a web application to inject malicious scripts (XSS). These scripts run in the user’s browser and can be used to steal session cookies that are not properly secured.
Why passwordless methods don't prevent session hijacking
When we demo a session hijack to customers, it’s 15 seconds they won’t soon forget.
In a world where passkeys are gaining widespread enterprise adoption, session hijacking remains the persistent blind spot. The core issue is that all authentication methods must create a session for usability, and that session token itself is the target.
No passwordless method is immune:
- Passkeys/WebAuthn: Secure the initial login, but the session token issued afterward is vulnerable to theft from the endpoint.
- Magic Links: The one-time link creates a session that can then be hijacked like any other.
- Biometrics: This authenticates the user to their device, but the resulting session token can still be stolen by malware on that same device.
Understanding passwordless, sessions, and MFA
It’s easy to confuse the roles of different security controls. A common misconception is that combining passwordless with MFA makes an account immune to takeover, but these controls primarily protect the point of authentication, not the session that follows.
- Passwordless protects against password theft and phishing, but doesn’t protect against session hijacking via malware.
- MFA protects against single-factor compromise, but doesn’t protect against post-auth session token theft.
- Passkeys protect against credential phishing, but don’t protect against malware stealing session tokens.
Defending against session hijacking: technical and identity-based controls
A multi-layered defense is required because technical controls alone don’t provide visibility into threats originating outside your perimeter.
Technical defenses
These server-side controls are critical for hardening sessions, but rely on perfect implementation:
- Binding session tokens to IP addresses or device fingerprints.
- Setting short session timeouts to limit the window of opportunity for attackers.
- Using HttpOnly/Secure flags on cookies to prevent script-based theft.
Identity-based defenses (SpyCloud's approach)
The most effective strategy includes monitoring the criminal underground for exposures before they are weaponized and/or to identify at-risk accounts. SpyCloud provides this intelligence by recapturing stolen session cookies from infostealer malware logs and successful phishing campaigns.
This allows security teams to detect and invalidate compromised sessions tied to their employees and customers and launch incident response action, as needed.
Protecting your organization from session hijacking
To secure your organization in the passwordless era, you must look beyond the point of authentication. A comprehensive strategy involves:
- Implementing strong technical session security controls.
- Monitoring for stolen session artifacts on the criminal underground.
- Integrating session threat intelligence into your security program to move from a reactive to a proactive defense.
SpyCloud’s session identity protection solutions monitor the criminal underground for stolen session cookies tied to your organization. By detecting these exposures before attackers can exploit them, we give security teams the head start needed to terminate compromised sessions and prevent account takeover.
Learn more about SpyCloud’s Session Identity Protection.
Give your security team the head start they need to prevent account takeover
FAQs
No, passkeys secure the initial login, but they do not protect the session token created afterward, which can still be stolen by malware.
No, because session hijacking bypasses the login process where MFA is checked by using a token from an already authenticated session.
The main risk is a false sense of security, as it shifts the attack surface from credential theft to post-authentication session hijacking.
The best defense combines technical session hardening with proactive monitoring of the criminal underground for stolen session tokens.
SpyCloud recaptures data from infostealer malware logs and phishing campaigns on the dark web, allowing us to find and alert you to stolen session cookies before they are used.
Keep reading
