Jul 21, 2025Ravie LakshmananThreat Intelligence / Authentication
Cybersecurity researchers have disclosed a novel assault method that enables menace actors to bypass Quick IDentity On-line (FIDO) key protections by deceiving customers into approving authentication requests from spoofed firm login portals.FIDO keys are hardware- or software-based authenticators designed to remove phishing by binding logins to particular domains utilizing public-private key cryptography. On this case, attackers exploit a authentic characteristic—cross-device sign-in—to trick victims into unknowingly authenticating malicious classes.
The exercise, noticed by Expel as a part of a phishing marketing campaign within the wild, has been attributed to a menace actor named PoisonSeed, which was not too long ago flagged as leveraging compromised credentials related to buyer relationship administration (CRM) instruments and bulk electronic mail suppliers to ship spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.
“The attacker does this by making the most of cross-device sign-in options obtainable with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet mentioned. “Nonetheless, the unhealthy actors on this case are utilizing this characteristic in adversary-in-the-middle (AitM) assaults.”This system does not work in all situations. It particularly targets customers authenticating by way of cross-device flows that do not implement strict proximity checks—resembling Bluetooth or native gadget attestation. If a consumer’s atmosphere mandates {hardware} safety keys plugged straight into the login gadget, or makes use of platform-bound authenticators (like Face ID tied to the browser context), the assault chain breaks.
Cross-device sign-in permits customers to sign-in on a tool that doesn’t have a passkey utilizing a second gadget that does maintain the cryptographic key, resembling a cell phone.
The assault chain documented by Expel commences with a phishing electronic mail that lures recipients to log right into a faux sign-in web page mimicking the enterprise’s Okta portal. As soon as the victims enter their credentials, the sign-in data is stealthily relayed by the bogus website to the actual login web page.
The phishing website then instructs the authentic login web page to make use of the hybrid transport methodology for authentication, which causes the web page to serve a QR code that is subsequently despatched again to the phishing website and offered to the sufferer.
Ought to the consumer scan the QR code with the authenticator app on their cellular gadget, it permits the attackers to realize unauthorized entry to the sufferer’s account.
“Within the case of this assault, the unhealthy actors have entered the right username and password and requested cross-device sign-in,” Expel mentioned.
“The login portal shows a QR code, which the phishing website instantly captures and relays again to the consumer on the faux website. The consumer scans it with their MFA authenticator, the login portal and the MFA authenticator talk, and the attackers are in.”
What makes the assault noteworthy is that it bypasses protections supplied by FIDO keys and allows menace actors to acquire entry to customers’ accounts. The compromise methodology doesn’t exploit any flaw within the FIDO implementation. Slightly, it abuses a authentic characteristic to downgrade the authentication course of.Whereas FIDO2 is designed to withstand phishing, its cross-device login circulate—generally known as hybrid transport—may be misused if proximity verification like Bluetooth will not be enforced. On this circulate, customers can log in on a desktop by scanning a QR code with a cellular gadget that holds their passkey.Nonetheless, attackers can intercept and relay that QR code in actual time by way of a phishing website, tricking customers into approving the authentication on a spoofed area. This turns a safe characteristic right into a phishing loophole—not resulting from a protocol flaw, however resulting from its versatile implementation.
Expel additionally mentioned it noticed a separate incident the place a menace actor enrolled their very own FIDO key after compromising an account by means of a phishing electronic mail and resetting the consumer’s password.To raised shield consumer accounts, organizations ought to pair FIDO2 authentication with checks that confirm the gadget getting used. When potential, logins ought to occur on the identical gadget holding the passkey, which limits phishing danger. Safety groups ought to look ahead to uncommon QR code logins or new passkey enrollments. Account restoration choices ought to use phishing-resistant strategies, and login screens—particularly for cross-device sign-ins—ought to present useful particulars like location, gadget kind, or clear warnings to assist customers spot suspicious exercise.
If something, the findings underscore the necessity for adopting phishing-resistant authentication in any respect steps in an account lifecycle, together with throughout restoration phases, as utilizing an authentication methodology that is prone to phishing can undermine all the identification infrastructure.
“AitM assaults towards FIDO keys and attacker-controlled FIDO keys are simply the most recent in an extended line of examples the place unhealthy actors and defenders up the ante within the combat to compromise/shield consumer accounts,” the researchers added.
