Fido standard is usually considered safe and user friendly. It is used for password -free certification and is considered an effective means against fishing efforts. However, research experts at proofpoint have now discovered a new way to ignore fido-based certification. Experts developed a downgrade attack technique for this purpose, which they tests Using Microsoft Entra ID as an example.
Fido authentication how downgrade attack works
Fishing expeditions usually fail on accounts that are safe with fido paskkeys. However, according to the proofpoint, some FIDO implementation is susceptible to the downgrade attacks. In this form of the attack, users are cheated using a low safe authentication method.
The initial point for researchers was the fact that not all web browser Fido supports Paski – for example Safari under Windows. According to proofpoint, this functional interval can be exploited by the attackers. A statement said in a statement, “A cyber criminal can adapt an adverse-in-midil (AITM) attack to spoil an undesken user agent, which is not recognized by FIDO implementation. The user will then be forced to certify using a low safe method.”
