The FIDO standard is generally regarded as secure and user-friendly. It is used for passwordless authentication and is considered an effective means against phishing attempts. However, research experts from Proofpoint have now discovered a new way to circumvent FIDO-based authentication. The experts developed a downgrade attack technique for this purpose, which they tested using Microsoft Entra ID as an example.
How the FIDO authentication downgrade attack works
Phishing campaigns usually fail on accounts that are secured with FIDO passkeys. However, according to Proofpoint, certain FIDO implementations are susceptible to downgrade attacks. In this form of attack, users are tricked into using a less secure authentication method.
The starting point for the researchers was the fact that not all web browsers support FIDO passkeys — for example Safari under Windows. According to Proofpoint, this functional gap can be exploited by attackers. “A cybercriminal can adapt an Adversary-in-the-Middle (AiTM) attack to spoof an unsupported user agent that is not recognized by a FIDO implementation. The user would then be forced to authenticate using a less secure method,” Proofpoint said in a statement.
To demonstrate how this could be exploited in practice, the Proofpoint specialists have developed a phishlet for the AiTM framework Evilginx. This is a configuration file that is used in phishing kits to spoof websites and steal login data and session tokens. According to Proofpoint, the attack sequence is possible because user accounts with FIDO authentication generally use alternative login methods as a fallback solution — usually multi-factor authentication (MFA).
According to the security experts, the attack sequence happens as follows:
A phishing link is sent to the attack target, for example via email, SMS or OAuth request.
If the malicious link is clicked on, an authentication error is reported and an alternative login method is suggested.
If the attacked user uses this and logs in via the fake interface, their login data and session cookies are tapped.
This enables the attacker to hijack the session and take over the target’s account. This opens the door to data exfiltration or lateral movement within the affected environment.
Although, according to Proofpoint, there is no evidence to date that this attack technique is already being used by cyber criminals in practice, the security provider classifies downgrade attacks as a significant new threat. The experts warn: “Because more and more organizations are introducing ‘phishing-resistant’ authentication methods such as FIDO, attackers could integrate FIDO authentication downgrades into their kill chains in the future.”
In an email FIDO Alliance CEO Andrew Shikiar cast doubt on the seriousness of the vulnerability. “The attack described here does not reflect a vulnerability in passkeys or FIDO protocols,” he said. “Rather, it illustrates the importance of service providers moving entirely away from passwords and other phishable sign-in methods as soon as possible. The FIDO Alliance has guidance for service providers on how to mitigate phishing risks as they continue to allow multiple sign-in options to their users, as well as how to move toward passkey-only sign-in flows and remove fallback options that rely on phishable methods both for login and for account recovery. This guidance is available on Passkey Central.”
This article originally appeared on CSO Germany and has been updated to include comment from the FIDO Alliance.
No Responses