Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Fortinet 320x100px
Cyber Offensive Fundamentals 970x120 V0.1
FIDO Downgrade Attacks, a New Authentication Threat

FIDO Downgrade Attacks, a New Authentication Threat

21 August 2025 18:26

Proofpoint researchers have identified a sophisticated downgrade attack that could bypass FIDO-based authentication, exposing targets to adversary-in-the-middle (AiTM) threats.
These are some of the key findings the researchers found:

  • Using a dedicated “phishlet,” attackers could downgrade FIDO-based authentication to less secure methods, exposing targets to adversary-in-the-middle (AiTM) threats.
  • This attack exploits a seemingly insignificant gap in functionality, where not all web browsers support the “passkey” authentication method (FIDO2) with Microsoft Login ID, allowing attackers to spoof an unsupported “user agent” and force a less secure authentication method.
  • Although technically possible, Proofpoint researchers have not yet observed FIDO authentication downgrade attacks “in the wild,” with attackers’ focus remaining on accounts with other MFA methods or no MFA methods at all.

Despite the lack of observed use by threat actors, Proofpoint considers FIDO authentication downgrade attacks to be a significant emerging threat. These attacks could be conducted by sophisticated adversaries and APTs (particularly state-sponsored actors or technically savvy hackers).


Proofpoint researchers emphasize: “It is important to note that FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats.”


Looking ahead, as awareness of the risks posed by AiTM phishing grows and more organizations adopt “phishing-resistant” authentication methods like FIDO, attackers may seek to evolve existing tactics, techniques, and procedures (TTPs) by incorporating FIDO authentication downgrades into their kill chains.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.