Tanawts"Identity is the new Perimeter "
I should have raged against this nonsense when it started to become a buzz phrase
Web-based Session management is the emperor's new clothes and identity based controls are left naked as a result.
ShutterBugged@Enigma Explain it like I'm new to infosec?
Sure, happy to:
"Someone licks the stamp on my hand, and smooshes the ink onto the top of their hand so that they can get into the club without being checked for ID."
Authentication (logging in) even with MFA only takes place during the initial login. After that, modern Web Apps issue a 'Session' and 'Cookie' to tell the systems that you have already proven your identity, so there is no need to check again - this is why you can reopen Firefox, go to gmail.com and be looking at your email without having to re-enter your username/password/mfa.
When someone steals that session data (sometimes as simple as a copy paste) they can impersonate you and access all those fun "zero trust" services that have Strong Passwords, and Multi-Factor Auth, and Biometrics, and Conditional Access -- since all of these protections only come into play during that first login, everything after that bypasses the checks.