FIDO Passkeys Face New Downgrade Attack Threat
A new and highly sophisticated cyber threat has surfaced, targeting one of the most trusted authentication technologies in modern cybersecurity.
FIDO-based passkeys, widely regarded as the gold standard for phishing-resistant authentication, are now vulnerable to an advanced downgrade attack. This technique forces users to abandon strong FIDO authentication and switch to weaker, more exploitable methods.
Exploiting a Compatibility Gap in Major Platforms
The vulnerability lies in FIDO implementations across major services, most notably in Microsoft Entra ID, where certain web browsers still lack full passkey support.
This minor-seeming compatibility gap creates an opening for cybercriminals to manipulate the login process, pushing victims toward traditional multi-factor authentication (MFA) methods. These weaker methods are known to be susceptible to adversary-in-the-middle (AiTM) attacks.
AiTM Phishing Kits Powering the Threat
Modern phishing campaigns have evolved drastically with AiTM phishing kits such as Evilginx, EvilProxy, and Tycoon. These toolkits have made session hijacking more accessible by providing user-friendly interfaces that lower the technical skill needed for complex attacks.
Proofpoint researchers discovered this downgrade threat after noticing that standard phishing scripts (phishlets) often fail against FIDO-protected accounts. In response, attackers have developed specialized phishlets to bypass these protections.
How the Attack Works
The attack usually starts with phishing emails or messages containing malicious links tied to a dedicated FIDO downgrade phishlet.
When the victim clicks the link, they encounter a fake authentication error prompting them to choose an alternative sign-in method. The interface is carefully designed to mimic legitimate Microsoft authentication pages, making it appear as if the system is malfunctioning.
Technical Details – User Agent Spoofing
The attack’s core mechanism is user agent spoofing. Threat actors configure their AiTM infrastructure to simulate an unsupported browser environment, for example Safari on Windows, which lacks FIDO2 compatibility with Microsoft Entra ID.
When the authentication platform detects the spoofed environment, it automatically offers weaker fallback options.
Once the victim signs in using these downgraded methods, attackers capture credentials and session tokens through a reverse proxy server. These stolen session cookies can then be imported directly into the attacker’s browser, allowing full account takeover without additional verification.
Why It’s Dangerous
This method bypasses even the strongest FIDO security by targeting the human factor rather than the cryptographic protocol itself. By manipulating user behavior, attackers can sidestep robust authentication measures and gain complete access to accounts.
