OAuth consent is the phishing vector MFA misses—long-lived tokens and cross-app access bypass trusted identity controls.