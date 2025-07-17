A phishing attack bypassing FIDO keys was reported by Expel on Thursday.

The attack abuses QR codes generated for cross-device sign-in to enable attackers to log in to victims’ accounts.

Fast IDentity Online (FIDO) cryptographic private keys are bound to physical devices, providing stronger multi-factor authentication (MFA) than methods like SMS or email that could potentially be remotely compromised.

Cross-device authentication using FIDO allows a user with one device holding a private key to log into another device that does not hold the key. This is meant to provide convenience in scenarios such as logging in to a public computer or new device that is not yet enrolled with FIDO

Typically, a mobile device with a camera like a phone or tablet is used to scan a QR code on the second device during login, verifying that the user has possession of the FIDO key-holding devic e.

In the attack observed by Expel, the attacker set up a spoofed Okta login page that automatically relayed the entered credentials into the legitimate Okta portal, in a man-in-the-middle (MitM) style attack. This phishing page, hosted at the typosquatted domain okta[.]login-request[.]com, was sent to the victim in an email.

To bypass FIDO, the attacker requested cross-device authentication at the next login stage on the legitimate portal, causing Okta to generate a QR code that was automatically relayed back to the victim on the spoofed page.

The victim scanned the QR code using their authenticator app, unwittingly providing the attacker access to their account. Expel reported that, although the attacker successfully logged in, no further malicious activity was observed in this case.

How to better secure FIDO logins

Expel suspects the attack is connected to the PoisonSeed campaign ; a cluster of phishing attacks that has leveraged compromised accounts to target cryptocurrency wallets since at least April 2025.

MitM attacks abusing cross-device sign-in can be prevented by requiring Bluetooth connection to use this feature. Requiring the user’s FIDO key-holding device to communicate with the secondary device via Bluetooth verifies physical proximity between the devices, preventing remote phishing attacks.

Organizations should also monitor authentication logs for unusual cross-device sign-in requests, such as those coming from unexpected locations; placing geographic limitations on logins and establishing a registration process for employees who are traveling could further limit such attacks, Expel noted.

In a separate attack, Expel found that an attacker who successfully phished credentials from a victim enrolled their own FIDO key with the compromised account, preventing the victim from regaining access.

Therefore, organizations should also look out for unexpected FIDO registrations, especially those from unexpected locations, for users who are already enrolled, or using key brands other than those used by the organization.

Organizations who suspect an account has been compromised should terminate active sessions as soon as possible to limit attackers’ access and prevent full account takeover. Users of FIDO keys should be aware of phishing attacks abusing cross-device sign-in and be wary of unexpected requests to scan QR codes.