Researchers have recently uncovered a sophisticated phishing attack that effectively circumvents a multifactor authentication (MFA) mechanism based on the FIDO (Fast Identity Online) standard, which is increasingly being adopted across various platforms and enterprises. If verified, this development poses significant concerns, as FIDO is generally perceived as robust against credential phishing attempts.
The attack was detailed in a blog post published by security firm Expel, which attributes the tactic to a group identified as PoisonSeed. Upon review, it appears this threat does not entirely bypass FIDO protections, at least in the conventional sense used by cybersecurity experts. Instead, the attack appears to weaken the MFA process by downgrading it to a less secure, non-FIDO-based method, thus more accurately described as a FIDO downgrade attack.
The initial phase of this novel attack technique begins with an email that directs recipients to a counterfeit login page masquerading as an Okta interface, a popular authentication provider. Victims are urged to input their valid usernames and passwords. By falling for this ploy, individuals unwittingly assist the attackers in clearing an essential barrier to unauthorized access to their Okta accounts.
FIDO was explicitly designed to mitigate such scenarios by mandating additional authentication factors, often provided through a security key. This key can take the form of a passkey or a physical device like a YubiKey or even a smartphone. The authentication process requires this passkey to utilize a unique cryptographic key embedded in the device. This key signs a challenge issued by the site attempting the login—in this case, Okta.
Additionally, users can engage a cross-device sign-in feature when a passkey is not available on the device in use. This allows them to leverage a passkey stored on another device, typically a smartphone. The login site generates a QR code that users scan with their phones, enabling the normal FIDO MFA process to proceed without hindrance.
Identifying the potential tactics and techniques used in this attack through the MITRE ATT&CK framework reveals key components of adversary behavior. The initial access vector, employed by PoisonSeed, reflects typical phishing approaches aiming to harvest user credentials. The subsequent compromise of the MFA process could involve tactics categorized under “Credential Dumping,” where attackers gain essential access using harvested login information and subsequently bypass additional security layers.
As malicious actors continue to refine their techniques, businesses must remain vigilant in implementing and updating their security measures, particularly those involving MFA systems. Understanding the evolving landscape of threats is crucial for safeguarding sensitive data and maintaining trust in digital transactions.
