“If a consumer whose account is protected by a FIDO key enters their username and password into the phishing web page, their credentials will probably be stolen, simply as another consumer,” Expel researchers in a weblog publish. “However with a FIDO defending their account, the attackers are unable to bodily work together with the second type of authentication.”
PoisonSeed attackers appear to have cracked this with a brand new trick. As an alternative of stealing or cloning a FIDO key, the attackers simply persuade customers to scan a QR code, a precise copy of the QR prompted in a reputable cross-device sign-in, that completes the malicious login for them.
“It is a enjoyable assault, and one all of us have to instrument for,” mentioned Trey Ford, chief data security officer at Bugcrowd. “Sure, that is doable, and what we’d like to bear in mind is that each security management, on some degree, may have failure modes.”
