Proofpoint Alerts: FIDO Authentication Vulnerable to Downgrade Attacks
Proofpoint threat researchers have identified a potential vulnerability in the adoption of FIDO-based authentication systems, revealing a method that could enable attackers to bypass these security mechanisms through a process known as a downgrade attack. The Fast IDentity Online (FIDO) standards have been increasingly implemented by organisations to enhance online security and mitigate the risks of credential phishing and account takeover incidents. By moving away from traditional passwords and utilising hardware keys, biometrics, or PINs, FIDO-based authentication is widely regarded as a robust defence against common phishing threats. However, recent findings indicate that FIDO authentication may not be entirely secure. Researchers have discovered that attackers could exploit a weakness by coercing users to revert to less secure authentication methods, thereby exposing them to adversary-in-the-middle (AiTM) attacks. Notably, Proofpoint has yet to observe FIDO downgrade attacks in real-world scenarios.
Understanding AiTM attacks is crucial in this context. Before the implementation of FIDO standards, hackers frequently employed phishing techniques to steal credentials, often bypassing multi-factor authentication (MFA). AiTM attacks lure victims to counterfeit login portals via reverse proxies, allowing attackers to intercept both credentials and authentication tokens necessary for session hijacking. The rise of advanced AiTM kits and Phishing-as-a-Service platforms has made these sophisticated attacks more accessible and effective. While FIDO-secured accounts currently resist most phishing attempts using standard phishlets, Proofpoint’s research suggests that this resilience may be compromised under specific conditions. The researchers demonstrated that FIDO-based authentication, particularly for users of Microsoft Entra ID, is susceptible to downgrade attacks. This vulnerability arises from certain browsers, such as Safari on Windows, lacking support for FIDO2 authentication. Attackers can exploit this limitation by spoofing unsupported user agents, prompting the authentication system to request a less secure method.
Categories: FIDO Authentication Vulnerabilities, Adversary-in-the-Middle Attacks, Phishing Techniques
Tags: FIDO, Authentication, Downgrade Attack, AiTM, Phishing, Security, Vulnerability, Credentials, Multi-Factor Authentication, Phishlet