The FIDO commonplace is usually thought to be safe and user-friendly. It’s used for passwordless authentication and is taken into account an efficient means in opposition to phishing makes an attempt. Nevertheless, analysis consultants from Proofpoint have now found a brand new option to circumvent FIDO-based authentication. The consultants developed a downgrade assault method for this objective, which they examined utilizing Microsoft Entra ID for instance.
How the FIDO authentication downgrade assault works
Phishing campaigns often fail on accounts which might be secured with FIDO passkeys. Nevertheless, in line with Proofpoint, sure FIDO implementations are vulnerable to downgrade assaults. On this type of assault, customers are tricked into utilizing a much less safe authentication methodology.
The place to begin for the researchers was the truth that not all net browsers help FIDO passkeys — for instance Safari beneath Home windows. In keeping with Proofpoint, this purposeful hole will be exploited by attackers. “A cybercriminal can adapt an Adversary-in-the-Center (AiTM) assault to spoof an unsupported person agent that’s not acknowledged by a FIDO implementation. The person would then be pressured to authenticate utilizing a much less safe methodology,” Proofpoint stated in a press release.
