Hackers can bypass FIDO MFA keys, putting your accounts at risk - here's what we know

News
By published

A fallback mechanism found in FIDO keys is being abused, experts warn

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • A phishing campaign spotted trying to work around FIDO keys
  • The "cross-device sign in" feature triggers a QR code
  • Crooks can relay the QR code to bypass MFA and log in

Hackers have found a way to steal login credentials even for accounts protected with Fast IDentity Online (FIDO) physical keys. It revolves around a fallback created in these multi-factor authentication (MFA) solutions, and only works in certain scenarios.

FIDO keys are small physical, or software authenticators, that use cryptographic technology to securely log users into websites and apps. They serve as a multi-factor authenticator, preventing cybercriminals who have already obtained login credentials from accessing the targeted accounts.

To use the authenticator, most of the time users need to physically interact with the device. In some scenarios, however, there is a replacement mechanism - scanning a QR code. Criminals have started using this fallback in so-called adversary-in-the-middle (AitM) attacks.

Phishing for QR codes

Observed by security researchers Expel, the attacks start with the usual phishing email.

It leads victims to a landing page that mimics the look and feel of the company’s normal authentication process, including an Okta logo and sign-in fields for username and password.

Normally, after entering the login credentials, the user would need to physically interact with the FIDO key. In this case, however, the user is presented with a QR code instead.

This is because in the background, the attackers used the login credentials, and requested “cross-device sign-in”, which triggered the QR code fallback. If the victim scans the QR code, the login portal and the MFA authenticator communicate, and the attackers successfully log in.

The best way to defend against this attack is to enable Bluetooth proximity checks on FIDO, so that QR codes only work in the phone scanning them is physically near the user’s computer.

Alternatively, companies should educate their employees on how to spot suspicious login pages and unexpected QR codes, since this malicious landing page could easily be spotted by looking at the URL and the domain.

Finally, IT teams should audit authentication logs for strange QR-based logins, or new FIDO registrations, which can serve as an indicator of compromise.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.