FIDO Downgrade Attacks, a New Authentication Threat

Proofpoint researchers have identified a sophisticated downgrade attack that could bypass FIDO-based authentication, exposing targets to adversary-in-the-middle (AiTM) threats.
These are some of the key findings the researchers found:

• Using a dedicated “phishlet,” attackers could downgrade FIDO-based authentication to less secure methods, exposing targets to adversary-in-the-middle (AiTM) threats.
• This attack exploits a seemingly insignificant gap in functionality, where not all web browsers support the “passkey” authentication method (FIDO2) with Microsoft Login ID, allowing attackers to spoof an unsupported “user agent” and force a less secure authentication method.
• Although technically possible, Proofpoint researchers have not yet observed FIDO authentication downgrade attacks “in the wild,” with attackers’ focus remaining on accounts with other MFA methods or no MFA methods at all.

Despite the lack of observed use by threat actors, Proofpoint considers FIDO authentication downgrade attacks to be a significant emerging threat. These attacks could be conducted by sophisticated adversaries and APTs (particularly state-sponsored actors or technically savvy hackers).

Proofpoint researchers emphasize: “It is important to note that FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats.”

Looking ahead, as awareness of the risks posed by AiTM phishing grows and more organizations adopt “phishing-resistant” authentication methods like FIDO, attackers may seek to evolve existing tactics, techniques, and procedures (TTPs) by incorporating FIDO authentication downgrades into their kill chains.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.