From MFA Fatigue to Token Theft: ITDR and Just-In-Time Access as the Backbone of Zero-Trust Security
Introduction
Identity has become the control plane of modern enterprises. Applications, data, and infrastructure live across clouds and devices, while users move between home networks, airports, and coffee shops. In that world, a username, a set of access tokens, and a handful of entitlements can unlock everything. Adversaries understand this shift. They have pivoted from targeting hardened perimeter defenses to exploiting identity workflows themselves—pressing users into approving rogue prompts, tricking OAuth consent, and stealing browser cookies and refresh tokens that outlive passwords.
This blog explores how two practices—Identity Threat Detection and Response (ITDR) and Just-In-Time (JIT) access—form the backbone of a workable zero-trust model. ITDR gives you the instrumentation and muscle to detect, investigate, and contain identity abuse in real time. JIT, meanwhile, removes standing privilege so the blast radius of any credential or token theft is drastically reduced. We’ll unpack the mechanics of common identity attacks from MFA fatigue to token hijacking, highlight defenses that actually matter, and map out how to build an identity-centric control plane that continuously verifies trust. Real incidents illustrate how these controls change outcomes, and practical patterns will help you start or accelerate your program without boiling the ocean.
The modern identity attack surface
MFA fatigue and push bombing
Multi-factor authentication increased attacker costs, but push-based MFA became a social-engineering target. In “MFA fatigue” attacks, an adversary repeatedly triggers prompts hoping the user approves to stop the noise. In 2022, a major ride-sharing company reported a breach after an attacker spammed a contractor’s MFA prompts, then reached out on WhatsApp posing as IT to “help” the approval. A single accepted notification opened the door to internal tools and secrets.
Token theft and session hijacking
Once inside a user’s device or browser profile, adversaries look for cookies and refresh tokens. Unlike passwords, tokens often persist and can be replayed from another machine, especially if not sender-constrained. In early 2023, a well-known CI platform disclosed a breach in which an engineer’s laptop was infected and session tokens were exfiltrated, granting access to production systems. Attackers also target OAuth grants: in 2022, stolen OAuth tokens issued to popular integration platforms were used to access repositories on a major code hosting service. With valid tokens, adversaries bypass MFA entirely and move laterally across SaaS and cloud control planes.
Consent phishing and device compromise
Phishing evolved from stealing passwords to stealing one-time codes and consent. In 2022, a communications provider reported a compromise where employees were tricked into entering credentials and OTPs on a fake SSO page. Elsewhere, users were lured into granting malicious applications broad API scopes via OAuth consent screens that looked legitimate. Meanwhile, low-sophistication malware scrapes browser storage for cookies and autofill data, and higher-end tradecraft harvests cloud CLI credentials, local caches, and keychains. The target is consistent: identity material that unlocks access without tripping login defenses.
Zero trust and why ITDR plus JIT are the backbone
Zero trust is a strategy, not a product: never trust, always verify; assume breach; limit blast radius. Its practical expression is continuous, risk-informed access decisions tied to identity, device posture, and resource sensitivity. Two capabilities make zero trust durable:
- ITDR instruments the identity plane, correlating signals from IdPs, endpoints, SaaS, and cloud to detect and disrupt abnormal identity activity. It is the security operations counterpart to identity management.
- JIT access replaces standing privileges with ephemeral, scoped, time-bound rights. By shrinking the window and scope of power, JIT converts many incidents into near misses and renders stolen tokens less valuable.
Think of ITDR as your early warning and brake system and JIT as the crumple zone that limits damage. Together, they enable continuous verification and least privilege at human speed.
What effective ITDR looks like
Identity telemetry and the graph
Effective ITDR starts by building an identity graph: users, devices, accounts (human and service), groups, roles, entitlements, OAuth app grants, and relationships among them. Feed it with telemetry from the identity provider (authentication logs, risk signals, token issuance), endpoints (EDR detections, browser credential access), SaaS and cloud APIs (admin actions, data exfiltration, privilege changes), and network proxies or SWGs (session metadata and anomalies). Augment with HR data, geolocation, device compliance, and known good baselines.
Detection content that matters
- MFA fatigue patterns: abnormal volume of push prompts, approvals within seconds of issuance, approvals outside working hours, or on new devices without prior trust.
- Token anomalies: token use from atypical ASN or country immediately after issuance in another region; refresh token replay; OAuth grants with risky scopes; sudden proliferation of long-lived PATs.
- Privilege escalations: new admin role assignments, group membership to sensitive roles, disabling of MFA, or changes to conditional access policies.
- Impersonation and consent abuse: user-to-app grants to unfamiliar publishers; mass consent via delegated admin; service principal acquiring roles beyond baseline.
- Lateral movement via identity: sign-ins to SaaS rarely used by the user; API calls that enumerate tenants, mailbox rules creation, or download of all project artifacts.
Response actions and playbooks
ITDR must convert detections into surgical, reversible actions:
- Revoke sessions and invalidate refresh tokens for the identity and application scope in question.
- Trigger step-up authentication with phishing-resistant methods for continued access.
- Quarantine OAuth apps by revoking grants and requiring admin re-consent; block new consent temporarily.
- Remove or expire elevated roles and groups; roll back recent privilege changes.
- Contain endpoints by isolating the device or killing browser processes observed accessing credential stores.
Automate these in SOAR runbooks with human-in-the-loop for high-impact actions. Measure mean time to detect (MTTD) and respond (MTTR) specifically for identity events.
ITDR in practice: from alert to containment
Consider an attacker who brute-forces a weak VPN-SSO password and begins MFA push bombing. The IdP generates dozens of prompts; analytics flag an unusual prompt rate. The user finally approves after receiving a fake “IT” message on a messaging app. ITDR correlates the approval with an unfamiliar device fingerprint and ASN, flags high risk, and automatically enforces step-up with a phishing-resistant factor. When the attacker cannot satisfy the step-up, the system revokes sessions and disables push for the account until verification.
In a different scenario, malware on a developer’s laptop steals browser cookies and a cloud CLI refresh token. Minutes later, a session is established from a data center ASN the developer has never used. ITDR detects a refresh token used from a new location without a corresponding device posture, triggers token revocation for that application, and places the endpoint in containment. A follow-up playbook rotates repository deploy keys, revokes OAuth grants for CI integrations, and scans audit logs for administrative actions taken during the window. Because the developer did not hold standing admin rights, no privileged changes occurred, and access to production requires separate JIT approval, foiling escalation.
Designing Just-In-Time access for humans
Replace standing privilege
Standing admin membership and broad project roles are the oxygen of lateral movement. JIT limits oxygen by issuing privilege only when requested, approved, and justified, and by making it expire automatically. Core patterns include:
- Privileged elevation for cloud and SaaS admin roles: users request a role with a justification; access is granted for a short window (e.g., 30–120 minutes) with step-up authentication.
- Task-scoped elevation: grant only the specific permission needed (e.g., “reset a password,” “update DNS record”) rather than an entire role.
- Endpoint ephemeral admin: users elevate a single process or short session locally; audit every privileged command.
Approvals, automation, and guardrails
Use dynamic approval rules: auto-approve low-risk requests (during business hours, on managed devices, for low-impact scopes) and require peer or duty-manager approval for higher risk. Enforce separation of duties by preventing approvers from approving their own or collusive requests. Integrate with chat tools so approvers see context—who, what, device posture, recent risk—and can approve or deny quickly.
Break-glass accounts should exist but be tightly controlled: hardware-backed MFA, vault check-out with dual control, and continuous rotation. Every JIT grant emits telemetry to ITDR, enabling correlation between elevation and subsequent actions. Metrics like “standing privilege minutes” and “mean time to approve” track program health.
Practical defenses for MFA fatigue and consent abuse
- Adopt phishing-resistant MFA: FIDO2/WebAuthn with platform or roaming authenticators; where not possible, use number matching and in-app verification with rich context (geolocation, device, app name).
- Rate-limit and progressively challenge pushes: block bursts, require biometric unlock for repeated prompts, and auto-disable push for accounts showing fatigue patterns until re-verified.
- Reduce prompt frequency safely: use device-bound, short-lived sessions with continuous risk evaluation so users authenticate less often but with higher assurance; avoid “remember me on any device” policies.
- Harden helpdesk flows: require step-up verification before honoring MFA reset or unlock requests; script responses to suspected fatigue attacks instead of ad hoc advice.
- Govern OAuth consent: limit user consent to vetted publishers and scopes; use admin consent workflows; routinely review and revoke unused grants.
- Educate for recognition, not blame: teach users what a legitimate prompt looks like, what to do when spammed, and how IT contacts employees. Couple training with real-time in-product guidance on prompts.
Token security architecture that resists theft
Short-lived and sender-constrained tokens
Prefer access tokens with short lifetimes (minutes) and rotate refresh tokens frequently. Adopt sender-constrained tokens where possible so stolen tokens cannot be replayed from another host. Options include mutual TLS (mTLS) bound tokens and OAuth 2.0 Demonstration of Proof-of-Possession (DPoP), which cryptographically ties a token to a private key on the client.
Modern OAuth and OIDC hygiene
- Enforce PKCE for public clients and avoid implicit flow. Favor authorization code with PKCE and use back-channel logout to cut off sessions rapidly.
- Scope minimally: grant the least powerful permissions; avoid broad “offline_access” unless necessary and time-bound.
- Audit OAuth apps: require signed apps, publisher verification, and removal of unused integrations. Detect new high-privilege grants in near real time.
Session and browser hardening
- Mark cookies HttpOnly and Secure; evaluate SameSite settings to limit cross-site exfiltration.
- Protect browser credential stores: disable weak “remember passwords” for corporate apps; monitor for processes accessing browser databases; deploy EDR rules to flag token-harvesting behavior.
- Adopt continuous access evaluation: propagate risk or revocation events to relying parties so sessions terminate promptly when device, user, or network risk changes.
- Prefer confidential clients for desktop agents and use secure enclaves or OS keychains to store secrets.
Machine and workload identities deserve JIT and ITDR, too
Service accounts, CI/CD tokens, cloud access keys, and API keys often have more power than humans and live far longer. Apply the same principles:
- Replace long-lived secrets with short-lived, automatically rotated credentials: use cloud-native workload identity (e.g., OIDC federation to assume roles) so build systems receive ephemeral tokens tied to identity, not static keys.
- Adopt dynamic secrets from a broker that issues just-in-time database or message queue credentials per workload, expiring them quickly.
- Constrain scope and environment: bind tokens to workloads, namespaces, or IPs; use mTLS between services; enforce least privilege via fine-grained IAM policies.
- Instrument ITDR for machines: detect unusual API sequences, role assumption from new workloads, mass reads of secrets, or expansion of CI permissions; quarantine compromised runners; rotate all related secrets on indicators of compromise.
Track ownership for every machine identity, enforce renewal SLAs, and measure “credential half-life” to ensure nothing powerful lives forever. Treat CI agents and deployment runners as high-risk identities with rigorous isolation.
Building the zero-trust control plane and rolling it out
Unify policy, signals, and enforcement
Centralize access policy in an engine that understands identity attributes, device posture, resource sensitivity, and real-time risk. Author policies like “engineers may request production read via JIT from managed Macs with full disk encryption during business hours; write requires peer approval and step-up.” Feed the engine with signals from IdP risk scoring, EDR health, network context, and SaaS admin APIs. Enforce at multiple control points: IdP conditional access, reverse proxies, service meshes, and application gateways. Instrument continuous access evaluation and token introspection to revoke access mid-session.
Pragmatic rollout plan
- Phase 1 (0–90 days): Deploy phishing-resistant MFA to high-risk groups; enable number matching and push rate-limits; inventory OAuth apps and revoke unused grants; implement JIT for the top three privileged roles; pilot endpoint ephemeral admin.
- Phase 2 (90–180 days): Expand JIT to production access and sensitive SaaS; automate revocation and step-up responses in SOAR; roll out token hygiene (short lifetimes, refresh rotation) and CAE; onboard priority SaaS logs to your SIEM for ITDR analytics.
- Phase 3 (180–365 days): Migrate CI/CD to workload identity; adopt sender-constrained tokens; unify policy in a centralized engine; conduct red-team exercises focused on identity abuse and refine detections.
Throughout, measure reductions in standing privilege, time to revoke sessions, and the ratio of blocked to successful MFA fatigue attempts. Use these metrics to earn executive support and iterate policy without sacrificing usability.
Common pitfalls and anti-patterns
- MFA as a checkbox: Treating push-based MFA as “done” without phishing resistance or rate-limiting invites fatigue attacks. Upgrade factors or design prompts with strong context and controls.
- JIT without guardrails: Granting entire admin roles for long windows and rubber-stamping approvals creates pseudo-standing privilege. Keep durations short, scopes precise, and approvals risk-based.
- Blind spots in SaaS and OAuth: Ignoring third-party app grants and lacking logs from key SaaS platforms leaves ITDR half-blind. Prioritize providers that expose rich telemetry and administrative APIs.
- Token lifetimes that favor convenience over safety: Week-long access tokens and indefinite refresh tokens are an adversary’s dream. Default to short lifetimes and sender-constrained designs wherever possible.
- Over-reliance on the IdP alone: Conditional access is necessary but insufficient. Without endpoint, network, and application signals, detections miss critical context, and responses cannot contain compromised devices.
- Ignoring machine identities: Static keys in repos and long-lived CI tokens undermine any human-focused zero-trust program. Apply JIT, rotation, and telemetry to workloads first-class.
- Helpdesk loopholes: Password or MFA reset procedures that rely on weak verification can undo the strongest controls. Enforce step-up, record sessions, and audit every override.
- Perfect-is-the-enemy paralysis: Waiting for a grand identity overhaul delays meaningful risk reduction. Ship pragmatic controls in phases, measure impact, and tighten iteratively.
Organizations that elevate identity from an IT function to a security control plane—instrumented with ITDR and disciplined with JIT—are better positioned to withstand today’s reality: attacks that bypass perimeters and aim for the trust fabric itself. By shrinking standing privilege, constraining tokens, and reacting to suspicious identity behavior in seconds, you change the economics of compromise and keep access both secure and usable.