No, phishers arenotbypassing FIDO MFA, at least not yet. Here’s why.

Recent findings have brought attention to a phishing method that claims to circumvent the multifactor authentication (MFA) protocols established by FIDO (Fast Identity Online), a standard embraced by numerous companies and websites. If verified, this revelation could significantly impact the cybersecurity landscape, as FIDO is often viewed as a robust defense against credential theft. However, a closer examination of the report published by security firm Expel suggests a different narrative. Instead of outright bypassing FIDO’s security, the technique appears to downgrade the MFA process to a less secure, non-FIDO method. This particular tactic is more accurately characterized as a FIDO downgrade attack. Expel outlined the mechanics of this emerging threat, which begins with an email luring recipients to a counterfeit login page resembling that of Okta, a prominent authentication service. Users who unknowingly enter their credentials effectively assist the attackers, identified as PoisonSeed, in surmounting a critical barrier to accessing the targeted Okta account. The FIDO specification is explicitly designed to address this type of vulnerability by mandating an additional authentication factor, typically a security key that could be a passkey or a physical device like a smartphone or a YubiKey. This extra step involves the passkey generating a unique cryptographic key that signs a challenge issued by the site, in this instance, Okta. Users can authenticate across devices by utilizing a feature that allows them to access a passkey stored on another device, most often their smartphone. When this scenario occurs, the site presents a QR code for the user to scan with their phone, allowing the usual FIDO MFA process to unfold seamlessly.