INSUBCONTINENT EXCLUSIVE:
These sorts of adversary-in-the-middle attacks have grown increasingly common
In 2022, for instance, a single group used it in a series of attacks that stole more than 10,000 credentials from 137 organizations, and led
breached was content delivery network Cloudflare
The reason was its use of MFA based on WebAuthn, the standard that makes passkeys work
Services that use WebAuthn are highly resistant to adversary-in-the-middle attacks, if not absolutely immune
There are two reasons for this.First, WebAuthn credentials are cryptographically bound to the URL they authenticate
In the above example, the credentials would work only on https://accounts.google.com
If a victim tried to use the credential to log into https://accounts.google.com.evilproxy[.]com, the login would fail each
time.Additionally, WebAuthn-based authentication must happen on or in proximity to the device the victim is using to log into the account
This occurs because the credential is also cryptographically bound to a victim device
phishing attack on their own device.Phishing has emerged as one of the most vexing security problems facing organizations, their employees,
MFA in the form of a one-time password, or traditional push notifications, definitely adds friction to the phishing process, but with
proxy-in-the-middle attacks becoming easier and more common, the effectiveness of these forms of MFA is growing increasingly easier to
defeat.WebAuthn-based MFA comes in multiple forms; a key, known as a passkey, stored on a phone, computer, Yubikey, or similar dongle is the
As a side note, MFA based on U2F, the predecessor standard to WebAuthn, also prevents adversary-in-the-middle attacks from succeeding,
although the latter provides flexibility and additional security.Post updated to add details about passkeys.
