- Experts warn Fido is not supported on certain clients when you access Entra ID
- This triggers a Fallback -Login mechanism that can be picked up
- Barnities need to be introduced, researchers say
Fido-based authentication apps are considered one of the strongest practical defenses against phishing and identification theft, but after Proofpoint’s recent research it is not without its weaknesses.
The company’s researchers say they have found a way to force a goal to give up Fido-based approval for a weaker login method that can be picked up in transit.
In that way, despite being protected by industrial standard defense, the victims may still end up losing access to key accounts.
Lack of security features
The “weakness” of this scenario is that not all browsers support Fido. Safari on Windows, for example, is not compatible with Fido-based approval in Microsoft Entra ID, and when a user with such a setup tries to log in, they are offered an alternative-a SMS-delivered disposable password, email or an OAUTH Collaborative Prompt.
All of these can then be picked up via an opponent-in-middle attack (AITM), forwarded to the striker and used to log into the account.
“This seemingly insignificant gap in functionality can be exploited by attackers,” Proofpoint said in his report.
“A threat actor can adjust AITM to forgery a non -supported user agent not recognized by a FIDO implementation. Then the user will be forced to authenticate through a less secure method. This behavior observed on Microsoft platforms is a lack of security measure.”
So far, Proofpoint says there is no evidence that this method is abused in nature, and speculates that threat actors are still targeting accounts without multifactor approval (MFA) in the first place.
As more and more companies implement this anti-phishing technique, working around Fido-based authentication may be able to get hold of.
To minimize the risk, companies must turn off alternative approval methods for key accounts or at least turn on additional controls when an alternative is triggered.
Via Bleeping computer
