Should I be worried about MFA-bypassing pass-the-cookie attacks?

TL;DR Yes. Time for a cookie review and a bit of user education otherwise the effort of moving to multi-factor authentication will have been wasted…:

[…] “Thinking that MFA magically makes you unhackable is even more dangerous than not using MFA. Unfortunately, most MFA implementers and certainly most users don’t understand this. For example, I can send anyone a phishing email and get around their MFA solution and if you don’t know that, you might not pay as much attention to what URL you’re clicking on.”


Cerberus Sentinel’s Espinosa said: “The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training.

“Specifically, cookies should be set with a short lifespan and should be for a single session, so when the browser is closed, the cookie is voided. Users should be trained to log off the web application and close their browser after they are done using the web application. Many users never logoff or close a browser – this increases risk.

“The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though,” he said.


Original article