INSUBCONTINENT EXCLUSIVE:
Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication scheme based on FIDO
(Fast Identity Online), the industry-wide standard being adopted by thousands of sites and enterprises.If true, the attack, reported in a
blog post Thursday by security firm Expel, would be huge news, since FIDO is widely regarded as being immune to credential phishing attacks
Rather, the attack downgrades the MFA process to a weaker, non-FIDO-based process
As such, the attack is better described as a FIDO downgrade attack
login page from Okta, a widely used authentication provider
It prompts visitors to enter their valid user name and password
People who take the bait have now helped the attack group, which Expel said is named PoisonSeed, clear the first big hurdle in gaining
unauthorized access to the Okta account.The FIDO spec was designed to mitigate precisely these sorts of scenarios by requiring users to
provide an additional factor of authentication in the form of a security key, which can be a passkey, or physical security key such as a
smartphone or dedicated device such as a Yubikey
For this additional step, the passkey must use a unique cryptographic key embedded into the device to sign a challenge that the site (Okta,
in this case) sends to the browser logging in.One of the ways a user can provide this additional factor is by using a cross-device sign-in
different device, which in most cases will be a phone
In these cases, the site being logged into will display a QR code
The user then scans the QR code with the phone, and the normal FIDO MFA process proceeds as normal.
