Proofpoint threat researchers have identified a potential vulnerability in the adoption of FIDO-based authentication systems, revealing a method that could enable attackers to bypass these security mechanisms through a process known as a downgrade attack.
FIDO authentication in the threat landscape
The Fast IDentity Online (FIDO) standards have been increasingly implemented by organisations seeking to strengthen online security and reduce the risk of credential phishing and account takeover incidents. By eliminating the reliance on traditional passwords and instead utilising hardware keys, biometrics or PINs, FIDO-based authentication is widely considered to deliver robust protection against commonplace phishing threats.
Despite these advancements, a newly uncovered attack vector demonstrates that FIDO authentication may not be impenetrable. Proofpoint researchers have discovered that attackers could exploit a weakness by forcing users to revert to less secure authentication methods, therefore re-exposing them to adversary-in-the-middle (AiTM) attacks. Proofpoint has not yet observed FIDO downgrade attacks being used in real-world incidents.
Understanding AiTM attacks
Before the adoption of FIDO standards, hackers commonly employed phishing techniques to steal credentials, even circumventing multi-factor authentication (MFA). AiTM attacks involve victims being lured to counterfeit login portals via reverse proxies, where attackers can intercept both the credentials and authentication tokens required for session hijacking. The proliferation of advanced AiTM kits and Phishing-as-a-Service platforms has made these complex attacks more widely accessible and effective.
FIDO-secured accounts are currently resistant to most phishing attempts using standard phishlets, but Proofpoint’s research suggests this status may be vulnerable under certain conditions.
How FIDO downgrade attacks operate
The Proofpoint team has demonstrated that FIDO-based authentication, with specific reference to users of Microsoft Entra ID, can be susceptible to downgrade attacks. This vulnerability arises partly due to some browsers, such as Safari on Windows, lacking support for FIDO2 authentication. Attackers can exploit this by spoofing unsupported user agents, prompting the authentication system to request a less secure method.
“Proofpoint researchers have found that FIDO-based authentication can be side-stepped using a downgrade attack. Using a dedicated phishlet, attackers could downgrade FIDO-based authentication to less secure methods, exposing targets to adversary-in-the-middle (AiTM) threats. Proofpoint researchers have yet to observe FIDO authentication downgrade attacks in the wild. Authentication downgrade remains a key method for challenging ‘phishing-resistant’ authentication methods, but attackers’ current focus remains on accounts with other MFA methods or no MFA methods at all.”
To demonstrate the attack, Proofpoint researchers created a dedicated phishlet for the Evilginx AiTM attack framework. The attack is reliant on the existence of an alternative authentication method – usually a traditional MFA option – as most organisations retain these for account recovery purposes in conjunction with FIDO implementations.
The process begins with the victim receiving a phishing link. Upon clicking, they encounter an authentication error page asking them to switch to an alternative sign-in method, such as the Microsoft Authenticator app. When the victim completes authentication via the spoofed page, their credentials and MFA token are intercepted, allowing the attacker to hijack the session and perform post-compromise activities including data theft or lateral movement.
Assessing the risk
Proofpoint highlights that, although the downgrade attack is technically possible, it has not yet been identified in active cyberattacks. The researchers attribute this rarity to several factors. Attackers tend to target accounts lacking MFA entirely, as these are easier to breach and do not require advanced knowledge to exploit. Crafting or adapting a custom phishlet for this type of operation also requires a higher level of technical skill, which is typically beyond the reach of lower-tier cybercriminals.
“While technically feasible, FIDO authentication downgrade attacks haven’t been observed in the wild. This could be due to: Lower Effort Alternatives: Attackers often target users with weaker or no MFA, which requires less technical sophistication and yields high success rates. Technical Acumen: Creating or adapting such a phishlet requires specialized knowledge, deterring most low-level attackers.”
Proofpoint researchers note that as the use of FIDO for authentication becomes more widespread and attacker toolkits evolve, interest in targeting FIDO-secured accounts may increase, particularly among sophisticated attackers and Advanced Persistent Threat (APT) groups.
Recommendations
The findings reiterate that FIDO remains a highly recommended approach for defending against phishing and account takeover threats. However, Proofpoint advises organisations to be aware of potential downgrade vectors, especially where alternative authentication methods are used as fallbacks, and to consider enhancing browser and platform support for FIDO to mitigate these risks.