The FIDO standard is generally regarded as secure and user-friendly. It is used for passwordless authentication and is considered an effective means against phishing attempts. However, research experts from Proofpoint have now discovered a new way to circumvent FIDO-based authentication. The experts developed a downgrade attack technique for this purpose, which they tested using Microsoft Entra ID as an example.
How the FIDO authentication downgrade attack works
Phishing campaigns usually fail on accounts that are secured with FIDO passkeys. However, according to Proofpoint, certain FIDO implementations are susceptible to downgrade attacks. In this form of attack, users are tricked into using a less secure authentication method.
The starting point for the researchers was the fact that not all web browsers support FIDO passkeys — for example Safari under Windows. According to Proofpoint, this functional gap can be exploited by attackers. “A cybercriminal can adapt an Adversary-in-the-Middle (AiTM) attack to spoof an unsupported user agent that is not recognized by a FIDO implementation. The user would then be forced to authenticate using a less secure method,” Proofpoint said in a statement.
