Don't Phish-let Me Down: FIDO Authentication Downgrade
(MENAFN- BPG Group) Dubai , United Arab Emirates, 13th August 2025 - Proofpoint threat researchers have found that a threat vector could enable attackers to downgrade FIDO (Fast Identity Online) authentication mechanisms, presenting a potential risk to organizations and individual users alike. As organizations try to keep pace with an ever-evolving threat landscape – particularly the rising danger of adversary-in-the-middle (AiTM) attacks orchestrated by sophisticated cybercriminals and state-sponsored threat actors – the growing adoption of FIDO authentication has significantly improved online security by providing a robust method for verifying user identities. However, this latest finding highlights how even strong authentication methods can be targeted.
FIDO
FIDO is a set of open standards developed to enhance online authentication by improving security and user experience. The FIDO Alliance introduced these standards to reduce reliance on passwords and promote stronger, phishing-resistant authentication methods.
Simply put, FIDO eliminates the need for traditional credentials, negating the threat posed by common phishing threats. In addition, FIDO can combine hardware security keys (e.g., YubiKey) with biometrics or PINs for added protection
Prior to the FIDO standards, modern credential theft vectors largely depended on phishing techniques that exploit traditional password-based and even multi-factor authentication (MFA) mechanisms.
A typical adversary-in-the-middle (AiTM) attack begins with the victim receiving a phishing message containing a link to a malicious webpage design to mimic a legitimate login page. The fake domain is connected to a reverse proxy server, which relays traffic between the victim and the actual service. When the victim enters their credentials, they are instantly intercepted by the attacker. If the victim successfully completes an MFA challenge (like entering a one-time code), the attacker intercepts the token as well, enabling a complete session hijacking.
Today, most phishing threats fail when faced with FIDO-secured accounts using standard phishlets. Security researchers have previously demonstrated that certain FIDO-based authentication implementations, such as Windows Hello for Business (WHfB) can be susceptible to downgrade attacks. These attacks work by forcing the user into falling back to a less secure authentication method.
Not all web browsers support the passkey (FIDO2) authentication method with Microsoft Entra ID. For instance, FIDO is not supported when using Safari on Windows.
This insignificant gap in functionality can be leveraged by attackers. A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing security measure.
Authentication downgrade flow
Proofpoint researchers have successfully crafted a dedicated phishlet for the Evilginx AiTM attack framework that would force a target to downgrade their authentication method to a less secure method. The attack sequence relies on the existence of an alternative authentication method (usually MFA), besides FIDO, for the targeted user account. But luckily, this tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery.
User accounts remain at risk
As demonstrated, a modified AiTM phishlet can be used to launch a FIDO authentication downgrade attack, forcing victims to authenticate through a less secure method. This enables attackers to steal credentials and/or session cookies, ultimately leading to account takeover (ATO) and a range of post-ATO threats.
Looking ahead, as awareness to the risks posed by AiTM phishing grows and more organizations adopt “phishing-resistant” authentication methods like FIDO, attackers could attempt to evolve existing tactics, techniques and procedures (TTPs) by incorporating FIDO authentication downgrade into their kill chains.
