Researchers have developed a new FIDO downgrade attack against Microsoft Entra ID, exploiting vulnerabilities to trick users into weaker authentication methods, increasing phishing risks. This highlights potential security gaps in seemingly phishing-resistant FIDO passkeys, especially when fallback options are used. #FIDO2 #Evilginx
Keypoints
- A new FIDO downgrade attack can bypass FIDO authentication by spoofing unsupported browsers like Safari on Windows.
- The attack uses adversary-in-the-middle (AiTM) techniques to intercept login credentials and session cookies.
- Phishing sites trigger fallback authentication methods, which are vulnerable to interception and hijacking.
- The researchers recommend disabling fallback options to reduce the risk of this attack.
- This vulnerability underscores the importance of monitoring unusual authentication behavior and improving security measures.