- Experts warn that Fido is not compatible with certain customers when accessing Enter ID
- This triggers a backup login mechanism that can be collected
- Mitigation must be established, researchers say
FIDO -based authenticating applications are considered one of the strongest practical defenses against phishing and the theft of credentials, but judging by the latest ProofPoint investigation, it is not exempt from weaknesses.
Company’s researchers say they have found a way to force an objective to abandon authentication based on FIDO by a weaker login method that can be collected in transit.
In this way, despite being protected by standard industry defenses, victims can still end up losing access to key accounts.
Lack of security characteristics
The “weakness” in this scenario is that not all browsers support Fido. Safari in Windows, for example, is not compatible with the authentication based on Fido in Microsoft enters ID, and when a user with said configuration tries to log in, an alternative is offered: a password, email or an Oauth consent indicator.
All of these can be collected through an adversary attack in the middle (AITM), transmitted to the attackers and used to log in.
“This apparently insignificant gap in functionality can be exploited by the attackers,” ProofPoint said in his report.
“A threat actor can adjust the AITM to falsify a non -compatible user agent, which is not recognized by an implementation of Fido. Subsequently, the user would be forced to authenticate through a less safe method. This behavior, observed on Microsoft platforms, is a missing security measure.”
Until now, ProofPoint says there is no evidence that this method is being abuse in nature, and speculates that threat actors are rather addressed to accounts without multifactor authentication (MFA) first.
However, as more and more companies implement this anti-phishing technique, working on FIDO-based authentication could be captured.
To minimize the risk, companies must deactivate alternative authentication methods for key accounts, or at least activate additional checks when an alternative is activated.
Through Bleepingcomputer
