Identity, Phishing, IAM Technologies

Phishing method tricks users into skipping FIDO authentication

Metallic key on blue keyboard button closeup view

Metallic key on blue keyboard button closeup view

Users of FIDO passkey authentication through Microsoft Entra ID could be tricked into downgrading to a less secure sign-in method using a technique developed by Proofpoint researchers.

FIDO-based authentication is considered “phish-proof” as passkeys are bound to a device in the user’s possession.

While Proofpoint’s method does not bypass FIDO authentication itself, it demonstrates how a crafted phishing template could fool users into opting for a less secure authentication method.

The proof-of-concept (PoC) attack takes advantage of the fact that some browsers do not support FIDO authentication with Microsoft Entra ID.

The researchers spoofed one of these incompatible browsers, Safari for Windows, to develop a phishing template, or “phishlet,” for the open-source Evilginx2 man-in-the-middle (MiTM) framework for two-factor authentication (2FA) phishing.

The attacker sends the target a link that leads to a FIDO authentication failure page derived from the spoofed browser agent, which then gives the user the option to sign in using another method.

If the user opts to sign in using a password or 2FA, the MiTM attack succeeds and the attacker can intercept the credentials and session cookie to hijack the user’s account. Notably, the success of this attack relies on the user having alternate sign-in methods other than FIDO available to begin with.

“The attack described here does not reflect a vulnerability in passkeys or FIDO protocols. Rather, it illustrates the importance of service providers moving entirely away from passwords and other phishable sign-in methods as soon as possible,” FIDO Alliance CEO Andrew Shikiar told SC Media.

The FIDO Alliance provides guidance for service providers that still allow multiple sign-in options to minimize the impact of phishing, such as by enforcing FIDO-only authentication for specific users or features.

Authentication hardware provider Yubico also stated the proof-of-concept phishing attack emphasizes the risks of phishable authentication methods and importance of passkey adoption.

“Yubico recommends careful consideration of all authentication flows in any identity ecosystem, including using phishing-resistant authentication at all steps in an account lifecycle – such as recovery flows, given they are a common attack vector,” a Yubico spokesperson told SC Media. “This also highlights the need for applications and identity providers to offer the ability to disable phishable MFA options.”

Proofpoint noted they have not observed techniques similar to their PoC method used in any attacks in the wild.

Expel previously reported the discovery of an in-the-wild attack attempting to bypass FIDO by exploiting cross-device authentication, but later retracted their original report, saying the attempt was not successful due to cross-device authentication requiring proximity to the key-holding device.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AuthenticationAuthorizationChallenge-Handshake Authentication Protocol (CHAP)Digest AuthenticationDigital CertificateDiscretionary Access Control (DAC)Extensible Authentication Protocol (EAP)KerberosLightweight Directory Access Protocol (LDAP)OpenID

You can skip this ad in 5 seconds