- Experts warn that Fido is not supported on certain customers when accessing the identifier entered
- This triggers a rescue connection mechanism that can be picked up
- Attenuations must be put in place, say the researchers
The applications of authenticators based on Fido are considered one of the strongest practical defenses against phishing and the flight of identification, but to judge by the latest proofpoint research, it is not without its weaknesses.
The company’s researchers say they have found a way to force a target to abandon Fido -based authentication for a lower connection method that can be recovered in transit.
In this way, although they are protected by standard defenses, the victims can always end up losing access to key accounts.
Missing security features
The “weakness” of this scenario is that not all browsers support Fido. Safari on Windows, for example, is not compatible with Authentication based on Fido in the Microsoft Entrance ID, and when a user with such a configuration tries to connect, he is offered an alternative – a punctual password in SMS difficulty, an email or an oauth consent prompt.
All these elements can then be picked up via an opponent attack in the environment (AitM), relayed to attackers and used to connect to the account.
“This apparently insignificant gap in functionality can be exploited by attackers,” said Proofpoint in his report.
“A threat actor can adjust the AitM to usurp an unrealized user agent, which is not recognized by Fido implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing safety measure.”
So far, Proofpoint says that there is no evidence that this method is abused in nature and speculates that threatened actors are always rather targeting accounts without multi-factor authentication (MFA) in the first place.
However, as more and more companies are deploying this anti-phishing technique, working around Fido-based authentication could reproduce.
To minimize risks, companies must deactivate alternative authentication methods for key accounts, or at least activate additional checks when an alternative is triggered.
Via Bleeping Compompute
