New downgrade attack can bypass FIDO auth in Microsoft Entra ID

Summary

Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts. Although the attack doesn't prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness. This is especially worrying considering the increased adoption of FIDO-based authentication in critical environments, a consequence of the technology being touted as extremely phishing-resistant. FIDO passkeys are a passwordless authentication method based on the FIDO2 and WebAuthn standards, designed to eliminate the weaknesses of passwords and traditional multi-factor authentication (MFA). When a user registers a passkey, their device generates a pair of keys (private + public), which are used for solving a random, unique challenge during login onto online services, verifying the user's identity. As only the user's device holds the correct private key, which isn't transmitted anywhere during the login process, there's nothing phishing actors can intercept. Downgrading and bypassing FIDO The new downgrade attack created by Proofpoint researchers employs a custom phishlet within the Evilginx adversary-in-the-middle (AiTM) framework to spoof a browser user agent that lacks FIDO support. Specifically, the researchers spoof Safari on Windows, which is not compatible with FIDO-based authentication in Microsoft Entra ID. "This seemingly insignificant gap in functionality can be leveraged by attackers," explains Proofpoint researcher Yaniv Miron. "A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less s...