FIDO gets an apology and endorsement for spider infestation prevention reiterated

A pair of cybersecurity updates represent not just wins for the FIDO protocol, but also a possible swan song for a certain, legacy version of multi-factor authentication. A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.

The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.

The alleged vulnerability involved using the “cross-device sign-in” feature of FIDO passkeys and social engineering to execute an adversary-in-the-middle (AitM) attack. The attack was able to successfully pass the password factor of the authentication flow by getting a the target, likely an employee, to scan a QR code substituted by the attacker for one from Okta, “but all subsequent MFA challenges failed and the attacker is never granted access to the requested resource,” according to a new blog post from Expel.

The explanation comes with an apology, and credit from the Expel team to the FIDO community for its engagement.

FIDO keeps Spiders out

Legacy MFA methods were blamed for a recent spate of successful hacks by the Scattered Spider attack group exposing data from major airlines.

An advisory from the U.S. Cybersecurity & Infrastructure Security Agency has been updated to note tactical changes retains a recommendation to “(i)mplement FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA.”

“These MFA implementations are resistant to phishing and not suspectable to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors,” the alert states.

Later, the advisory tells organizations to “(r)equire phishing-resistant multifactor authentication (MFA).”

CISA partnered with the FBI, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, the Australian Cyber Security Centre’s Australian Signals Directorate, and the Australian Federal Police and National Cyber Security Centre on the advisory.

Other advice includes limiting the use of remote desktop services, implementing a recovery plan, and compliance with NIST password management policies.

The updated advisory adds a caution that the remote access tools hackers use in the attacks will vary, and a recommendation to “enhance monitoring against unauthorized account misuse.”

The global banking industry has also been working on adapting FIDO2 standards so that they can be adopted for financial use cases.

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  FIDO Alliance  |  multifactor authentication  |  passkeys