Cybersecurity firm flags FIDO authentication downgrade phishing attack risk

A new downgrade attack designed to bypass FIDO authentication with a “dedicated phishlet” has been discovered by enterprise cybersecurity provider Proofpoint.

The adversary-in-the-middle (AiTM) attack starts out in a recognizable way, with a phishing message that includes a link to a webpage that looks like a legitimate login portal, but is a malicious fake, a blog post from the Canada-based company explains. From there, however, it differs, and unlike other downgrade attacks that affect certain implementations of FIDO authentication, in particular with Windows Hello for Business (WHfB), it can be used to phish Microsoft Entra ID users regardless of the implementation.

Because FIDO2 authentication, such as with passkeys, is not supported with Entra on all browsers, hackers can spoof an unsupported user agent, such as Safari on Windows, with a specially crafted phishlet.

A phishlet, Proofpoint explains, “is a configuration file or template used by phishing kits to define the impersonation of legitimate websites and interception of user credentials and session tokens.”

Legacy phishlets are designed to harvest traditional credentials and bypass legacy multi-factor authentication (MFA) systems, and return an error when faced with FIDO authentication. But Proofpoint researchers have built a dedicated phishlet using the Evilginx AiTM attack framework that forces the target to use a less secure authentication method.

The less secure login credential, such as a verification code from the Microsoft Authenticator app, is intercepted along with the session cookie, and the attacker imports the cookie into their browser.

“Despite the lack of observed usage by threat actors, Proofpoint considers FIDO authentication downgrade attacks as a significant emerging threat,” the company summarizes. “These attacks could be carried out by sophisticated adversaries and APTs (namely state-sponsored actors or technically savvy hackers).”

A passkey downgrade attack was recently reported and then walked back, with a recommendation that FIDO protects against legacy “phishable” MFA, so long as FIDO Cross-Device Authentication flow is properly implemented.

Article Topics

biometric authentication  |  cybersecurity  |  FIDO Alliance  |  FIDO2  |  Microsoft Entra  |  Proofpoint