Token theft steals authentication tokens (session cookies, JWTs, Kerberos tickets) to replay and impersonate users without knowing passwords — bypassing MFA.
AiTM (Adversary-in-the-Middle) phishing proxies steal session cookies after MFA completion — the user authenticates, the proxy captures the session. FIDO2 is phishing-resistant even against AiTM. Conditional Access policies with continuous evaluation re-check sessions.