FIDO (Fast Identity Online) authentication, one of the most secure and phishing-resistant methods today, might not be as foolproof as previously thought. A cybersecurity firm Proofpoint has warned about a new type of degradation attack that could allow cybercriminals to bypass this system, putting both users and organizations at risk.
The attack exploits a vulnerability caused by the fact that not all web browsers support FIDO2 authentication with Microsoft Entra ID. Attackers could impersonate an incompatible browser, forcing the system to revert to weaker verification methods, thereby opening the door to credential theft and session cookie hijacking, which could lead to account takeovers.
FIDO was specifically designed to reduce reliance on passwords and combat phishing by combining physical security keys with biometric authentication or PINs. Under normal circumstances, traditional phishing kits are unable to bypass this system. However, the research warns that creating specific “phishlets” could make the degradation feasible.
Currently, Proofpoint has not observed these attacks in practice. Experts believe most cybercriminals still prefer simpler methods, such as targeting users with weak passwords or single-factor authentication. Nonetheless, they suggest that more sophisticated groups, including nation-state actors, might adopt this technique in the future.
“FIDO-based access keys continue to be one of the best defenses against phishing and account takeover. Today, attackers focus on less protected systems, but their tactics might evolve to exploit these vulnerabilities,” conclude Proofpoint researchers.