Digital Event Horizon
Phishing researchers have discovered a new technique called the "FIDO downgrade attack" that allows attackers to compromise user accounts by exploiting vulnerabilities in cross-device sign-in processes. The attack uses FIDO's hybrid authentication process, which is designed to provide an additional layer of security. However, attackers have found a way to downgrade this process to a weaker form of authentication, allowing them to bypass the security features built into the system.
The FIDO downgrade attack bypasses multifactor authentication schemes using FIDO (Fast Identity Online) by exploiting vulnerabilities in cross-device sign-in processes. The attack begins with a phishing email that prompts users to enter their valid username and password, which are then transmitted to an attacker. The attackers capture the QR code displayed on the fake login page and relay it back to the user's MFA authenticator. The FIDO spec was designed to mitigate attacks like this, but researchers found a way to downgrade FIDO MFA to a weaker form of authentication. The attack works by using cross-device sign-in processes and exploiting Bluetooth connectivity and domain mismatches. Admins should be cautious when allowing FIDO-protected authentication processes to fall back to other forms of authentication. The FIDO downgrade attack highlights the importance of keeping security features up-to-date and following best practices for authentication processes.
Phishing attacks have been a constant threat to online security for years, and recently, researchers from Expel discovered a new technique that bypasses multifactor authentication schemes using FIDO (Fast Identity Online). The attack, which has been dubbed the "FIDO downgrade attack," allows attackers to compromise user accounts by exploiting vulnerabilities in cross-device sign-in processes.
According to Expel's research, the attack begins with an email that links to a fake login page from Okta, a widely used authentication provider. The email prompts visitors to enter their valid username and password, which are then transmitted to a PoisonSeed team member who enters them into a real Okta login page in real-time. This is made possible by a clever sleight of hand technique that allows the attacker to capture the QR code displayed on the fake login page and relay it back to the user's MFA authenticator.
The FIDO spec was designed to mitigate attacks like this by requiring users to provide an additional factor of authentication in the form of a security key. However, the researchers found that attackers have discovered a way to downgrade FIDO MFA to a weaker form of authentication, which allows them to bypass the security features built into the system.
The attack works by using cross-device sign-in processes to authenticate the user's credentials. If the user does not have a passkey on their device, they can use one that is already resident on a different device, such as a phone. In this case, the site being logged into displays a QR code that the user scans with their MFA authenticator. The attackers have found a way to capture and relay this QR code back to the user's device, allowing them to bypass the FIDO security features.
The researchers noted that if the targeted Okta MFA process had followed FIDO requirements, the login would have failed for at least two reasons. First, the device providing the hybrid form of authentication would have needed to be physically close enough to the attacker's device to connect over Bluetooth. Second, the challenge the hybrid device would have signed would have been bound to the domain of the fake site (okta[.]login-request[.]com) and not the genuine Okta.com domain.
The Expel researchers concluded that this attack is not a traditional FIDO key bypass attack but rather a FIDO downgrade attack. They noted that administrators should think long and hard before allowing their FIDO-protected authentication processes to fall back to other forms of authentication, as relying solely on FIDO can be risky due to the impracticality of managing and exporting passkeys.
In conclusion, the FIDO downgrade attack is a serious threat to multifactor authentication systems. It highlights the importance of keeping security features up-to-date and following best practices for authentication processes. As the use of FIDO continues to grow, it is essential that users and administrators remain vigilant and take steps to prevent such attacks in the future.
Related Information:
https://www.digitaleventhorizon.com/articles/FIDO-Downgrade-Attack-A-Threat-to-Multifactor-Authentication-deh.shtml
https://arstechnica.com/security/2025/07/no-phishers-are-not-bypassing-fido-mfa-at-least-not-yet-heres-why/
Published: Fri Jul 18 14:36:11 2025 by llama3.2 3B Q4_K_M
