Proofpoint Warns of New Downgrade Attack Targeting FIDO Passkey Security
A new phishing technique tricks users into abandoning strong FIDO2 authentication for weaker, more vulnerable methods.
Key Takeaways:
- Hackers have found a way to trick users into bypassing FIDO2 passkey security.
- Attackers exploit browser behavior to force weaker authentication methods.
- Proofpoint warns of a new phishing approach that could bypass even advanced protections.
Cybercriminals are evolving their tactics and now targeting even the most phishing-resistant protections like FIDO by deceiving users into downgrading their authentication. Proofpoint’s latest research details how attackers manipulate browser behavior and deploy custom phishing kits to compromise accounts that were once considered secure.
Passkey (FIDO2) authentication is a modern, passwordless login method that uses cryptographic keys stored on a user’s device to verify identity securely. Users authenticate with biometrics (like a fingerprint or face scan) or a device PIN, and the system uses public-key cryptography to confirm their identity without ever transmitting sensitive credentials. This approach makes it highly resistant to phishing, credential theft, and replay attacks.
Proofpoint researchers have discovered a method that leverages a custom phishlet, specialized templates in phishing kits, to downgrade FIDO authentication to less secure methods. These phishlets mimic legitimate login pages and are designed to intercept user credentials, making it possible for attackers to bypass strong authentication and launch adversary-in-the-middle (AiTM) attacks.
How does the FIDO downgrade attack work?
Specifically, the downgrade attack works by deceiving users into switching from FIDO2 to a weaker login method during a phishing attempt. Attackers spoof the victim’s browser (Safari on Windows), which doesn’t support FIDO authentication. It triggers an error that prompts the user to choose fallback options like SMS or app-based MFA. The attacker leverages a fake login page to capture credentials and session tokens and then ultimately gains unauthorized access by exploiting these fallback mechanisms.
According to Proofpoint, this technique has not yet been exploited in the wild. However, cybersecurity experts consider it a serious threat due to its potential to bypass even advanced authentication methods.
Steps organizations can take to prevent downgrade attacks
To mitigate downgrade attacks targeting FIDO2 authentication, organizations should prioritize consistent use of modern browsers and platforms that fully support passkeys. It should help to reduce the chance of fallback to weaker methods.
Additionally, security teams should monitor for suspicious login attempts, enforce strict authentication policies that discourage fallback options, and educate users to recognize and avoid phishing attempts that prompt alternative login methods. They must also implement conditional access controls and session monitoring to detect and block adversary-in-the-middle tactics.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
