Don’t Phish-let Me Down: FIDO Authentication Downgrade

Key takeaways 

FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats. 
Proofpoint researchers have found that FIDO-based authentication can be side-stepped using a downgrade attack. 
Using a dedicated phishlet, attackers could downgrade FIDO-based authentication to less secure methods, exposing targets to adversary-in-the-middle (AiTM) threats. 
Proofpoint researchers have yet to observe FIDO authentication downgrade attacks in the wild. 
Authentication downgrade remains a key method for challenging “phishing-resistant” authentication methods, but attackers’ current focus remains on accounts with other MFA methods or no MFA methods at all. 

Overview 

As organizations try to keep pace with an ever-evolving threat landscape – particularly the rising danger of adversary-in-the-middle (AiTM) attacks orchestrated by sophisticated cybercriminals and state-sponsored threat actors – the growing adoption of FIDO (Fast Identity Online) authentication has significantly improved online security by providing a robust method for verifying user identities. However, Proofpoint threat researchers have recently uncovered a threat vector that could enable attackers to downgrade FIDO-based authentication mechanisms, presenting a potential risk to organizations and individual users alike. 

Modern phishing, AiTM style 

Prior to the FIDO standards, modern credential theft vectors largely depended on phishing techniques that exploit traditional password-based and even multi-factor authentication (MFA) mechanisms.  

A typical adversary-in-the-middle (AiTM) attack begins with the victim receiving a phishing message containing a link to a malicious webpage design to mimic a legitimate login page. The fake domain is connected to a reverse proxy server, which relays traffic between the victim and the actual service. When the victim enters their credentials, they are instantly intercepted by the attacker. If the victim successfully completes an MFA challenge (like entering a one-time code), the attacker intercepts the token as well, enabling a complete session hijacking. 

In recent years, the development and proliferation of advanced AiTM phishing kits, such as Evilginx, EvilProxy and Tycoon has become a pivotal change in the threat landscape. At the same time, Phishing-as-a-Service (PhaaS) platforms have also gained in popularity, seeing as they negated many technical barriers by offering attackers intuitive point-and-click interfaces that simplify the execution of phishing campaigns. It is because of these changes that AiTM phishing attacks have become more prevalent and effective than ever before.  

FIDO 

FIDO is a set of open standards developed to enhance online authentication by improving security and user experience. The FIDO Alliance introduced these standards to reduce reliance on passwords and promote stronger, phishing-resistant authentication methods. 

Simply put, FIDO eliminates the need for traditional credentials, negating the threat posed by common phishing threats. In addition, FIDO can combine hardware security keys (e.g., YubiKey) with biometrics or PINs for added protection. 

The proof is in the phishlet 

Today, most phishing threats fail when faced with FIDO-secured accounts using standard phishlets. To understand why that is, we must explain what a phishlet is. A phishlet is a configuration file or template used by phishing kits to define the impersonation of legitimate websites and interception of user credentials and session tokens. 

Because most phishlets are designed for traditional credential harvesting and pre-FIDO MFA bypass, they will often throw an error once they encounter FIDO authentication, rendering the whole attack chain unsuccessful. 

Figure 1: Error shown when using a standard phishlet for a user with FIDO authentication. 

FIDO downgrade attack execution 

Security researchers have previously demonstrated that certain FIDO-based authentication implementations, most notably Windows Hello for Business (WHfB), can be susceptible to downgrade attacks. These attacks work by forcing the user into falling back to a less secure authentication method. 

In this post, we reveal that such FIDO downgrade attacks can be executed against Microsoft Entra ID users in a way that is not limited to any specific implementation. 

User agent spoofing 

Not all web browsers support the passkey (FIDO2) authentication method with Microsoft Entra ID. For instance, FIDO is not supported when using Safari on Windows.  

Figure 2: Support for FIDO2 authentication with Microsoft Entra ID (source: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-compatibility?tabs=web#web-browser-support). 

This seemingly insignificant gap in functionality can be leveraged by attackers. A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing security measure. 

Authentication downgrade flow 

Based on the previously mentioned finding, Proofpoint researchers have successfully crafted a dedicated phishlet for the Evilginx AiTM attack framework that would force a target to downgrade their authentication method to a less secure method. The attack sequence relies on the existence of an alternative authentication method (usually MFA), besides FIDO, for the targeted user account. But luckily, this tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery. 

The phishing attack flow proceeds as follows: 

Initial interaction: A phishing link is delivered to the target via email, SMS, OAuth consent request or another communication channel. 
Authentication downgrade: Once the target falls for the phishing lure and clicks on the malicious URL (derived from the FIDO Downgrade phishlet), they are presented with an authentication error message, prompting them to select an alternative sign in method. 

Figure 3: A sign in error message presented to the target. 

Figure 4: The target is required to select a different authentication method. 

Figure 5: If the target selects Microsoft Authenticator app, they are required to enter a verification code. Any other MFA method from the list would work. 

Credentials and MFA token theft: Once the victim authenticates using the spoofed interface, the threat actor is able to intercept and view the login credentials and session cookie, as they would in a standard AiTM phishing attack. 

Figure 6: List of victim’s sessions in Evilginx, we can see the “captured” session. 

Figure 7: Victim’s credentials and cookie details, as shown in the Evilginx console. 

Session hijack and account takeover: Finally, the attacker can hijack the authenticated session by importing the stolen session cookie into their own browser, thus granting them access to the victim’s account without having to insert any credentials or pass an MFA challenge. The attacker may then proceed to execute an array of post-compromise actions, including data exfiltration and lateral movement within the affected environment. 

Figure 8: Importing the intercepted session cookie into the attacker’s browser. 

Figure 9: The attacker successfully authenticates as the victim, using the intercepted session cookie. 

User accounts remain at risk 

As demonstrated, a modified AiTM phishlet can be used to launch a FIDO authentication downgrade attack, forcing victims to authenticate through a less secure method. This enables attackers to steal credentials and/or session cookies, ultimately leading to account takeover (ATO) and a range of post-ATO threats. 

Although technically feasible, there is currently no evidence for the usage of this technique by threat actors in the wild. This could be due to the following reasons: 

Lower effort alternatives: Many attackers currently opt for simpler attack paths, often targeting users with weak or single-factor authentication or other MFA methods that are known to be vulnerable to current phishlets. These approaches require less technical sophistication and still yield high success rates. 
Technical acumen: Creating or adapting a phishlet to facilitate a FIDO downgrade attack requires a deeper understanding and specialized knowledge, which might act as barriers that deter most low-level attackers. 

Despite the lack of observed usage by threat actors, Proofpoint considers FIDO authentication downgrade attacks as a significant emerging threat. These attacks could be carried out by sophisticated adversaries and APTs (namely state-sponsored actors or technically savvy hackers). 

Looking ahead, as awareness to the risks posed by AiTM phishing grows and more organizations adopt “phishing-resistant” authentication methods like FIDO, attackers could attempt to evolve existing tactics, techniques and procedures (TTPs) by incorporating FIDO authentication downgrade into their kill chains. Proofpoint Threat InsightRead More