Phishers have found a way to downgrade—not bypass

A recently reported phishing attack bypassed the FIDO (Fast Identity Online) multi-factor authentication scheme.
FIDO is an industry-standard that is widely adopted by companies and websites, and is considered immune to phishing attacks.
The attack works by tricking a user into entering their username and password, and then using a cross-device sign-in to authenticate.
If the user does not have a FIDO-enabled device, they are prompted to scan a QR code with their phone, which then undergoes FIDO authentication.
However, this subsequent authentication is not actually FIDO-compliant, but a weaker non-FIDO process that has been present on the device since before the standard was implemented.
While not a true bypass of FIDO protections, the attack does downgrade the MFA process to this weaker scheme.

Fast Feed