Phishers have found a way to downgrade—not bypass—FIDO MFA

18 July 2025

Upgrade to Custom Cursor Pro for exclusive features!
Phishers have found a way to downgrade—not bypass—FIDO MFA

Contrary to recent reports, phishing sleight-of-hand doesn’t defeat FIDO.

Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication scheme based on FIDO (Fast Identity Online), the industry-wide standard being adopted by thousands of sites and enterprises.

If true, the attack, reported in a blog post Thursday by security firm Expel, would be huge news, since FIDO is widely regarded as being immune to credential phishing attacks. After analyzing the Expel write-up, I’m confident that the attack doesn’t bypass FIDO protections, at least not in the sense that the word “bypass” is commonly used in security circles. Rather, the attack downgrades the MFA process to a weaker, non-FIDO-based process. As such, the attack is better described as a FIDO downgrade attack. More about that shortly. For now, let’s describe what Expel researchers reported.

Abusing cross-device sign-ins

Expel said the “novel attack technique” begins with an email that links to a fake login page from Okta, a widely used authentication provider. It prompts visitors to enter their valid user name and password. People who take the bait have now helped the attack group, which Expel said is named PoisonSeed, clear the first big hurdle in gaining unauthorized access to the Okta account.

The FIDO spec was designed to mitigate precisely these sorts of scenarios by requiring users to provide an additional factor of authentication in the form of a security key, which can be a passkey, or physical security key such as a smartphone or dedicated device such as a Yubikey. For this additional step, the passkey must use a unique cryptographic key embedded into the device to sign a challenge that the site (Okta, in this case) sends to the browser logging in.

One of the ways a user can provide this additional factor is by using a cross-device sign-in feature. In the event there is no passkey on the device being used to log in, a user can use a passkey for that site that’s already resident on a different device, which in most cases will be a phone. In these cases, the site being logged into will display a QR code. The user then scans the QR code with the phone, and the normal FIDO MFA process proceeds as normal.

Discover our latest cursor collections and enhance your browsing today!

Related Posts

You might also enjoy these articles on similar topics:

The fight against labeling long-term streaming rentals as “purchases” you “buy”

The fight against labeling long-term streaming rentals as “purchases” you “buy”

Read More
With new in-house models, Microsoft lays the groundwork for independence from OpenAI

With new in-house models, Microsoft lays the groundwork for independence from OpenAI

Read More
Windows 11 25H2 update hits its last stop before release to the general public

Windows 11 25H2 update hits its last stop before release to the general public

Read More
Battlefield 6dev apologizes for requiring Secure Boot to power anti-cheat tools

Battlefield 6dev apologizes for requiring Secure Boot to power anti-cheat tools

Read More
Advertisement: Try Custom Cursor Pro now!

Our Products

Money Rain - Visual Currency Extension

Money Rain - Visual Currency Extension

Capture attention with Money Rain - a Chrome extension that showers your screen in dynamic money graphics, perfect for viral sharing and brand visibility.

View Product
Cursor Helper - Custom Cursors

Cursor Helper - Custom Cursors

Maximize productivity with Cursor Helper: a refined extension that not only customizes your pointer’s look but streamlines your daily workflow with intuitive options.

View Product
Custom Cursor App - Custom Cursor

Custom Cursor App - Custom Cursor

Discover a versatile cursor toolkit - Custom Cursor App delivers an expansive library of high-resolution pointers that blend flawless aesthetics with lightning-fast performance.

View Product
Cursor Space for Google Chrome

Cursor Space for Google Chrome

Transform your browser into a cosmic playground - Cursor Space introduces galaxy-inspired pointers that add immersive flair without sacrificing speed or usability.

View Product
Cursor Trails - Custom Cursor Trails

Cursor Trails - Custom Cursor Trails

Enrich each click with graceful motion - Cursor Trails offers a refined collection of animated effects to elevate both style and usability.

View Product
Custom Cursor Trail - Custom Cursor Helper

Custom Cursor Trail - Custom Cursor Helper

Leave a lasting impression - Cursor Trail paints your path in luminous strokes, marrying dynamic motion with elegant design for every movement.

View Product
Custom Cursor - Mouse Cursor

Custom Cursor - Mouse Cursor

Rediscover the classic pointer - Mouse Cursor redefines simplicity with a selection of minimalist, high-contrast cursors optimized for every task.

View Product
PiggyBank Money Clicker - Idle Cash Game

PiggyBank Money Clicker - Idle Cash Game

Boost engagement with PiggyBank Money Clicker - a browser idle game where every click yields virtual cash, driving session length and repeat visits.

View Product
Pawsome Browser Kitties - Cursor Animation

Pawsome Browser Kitties - Cursor Animation

Increase dwell time with Pawsome Kitties - animated kitten avatars that follow your pointer, enhancing site stickiness and user delight.

View Product
BridgeMaster - Stick Hero Arcade Game

BridgeMaster - Stick Hero Arcade Game

Extend session lengths with BridgeMaster - a physics-driven arcade game where precision and timing unlock new levels of user engagement.

View Product
Custom Cursor - Texture Cursors

Custom Cursor - Texture Cursors

Experience tactile depth in the digital realm - Texture Cursors offers a curated set of lifelike pointer textures, elevating both clarity and creativity.

View Product
Catch the Cat - Reflex Challenge

Catch the Cat - Reflex Challenge

Drive repeat sessions with Catch the Cat - a fast-paced browser game that tests reflexes and strategic thinking in bite-sized play periods.

View Product
Custom Cursor Changer

Custom Cursor Changer

Inject personality into your pointer - Custom Cursor Changer lets you switch between dozens of vibrant designs in a single click, boosting engagement and fun.

View Product
Cookie Clicker - Idle Browser Simulation

Cookie Clicker - Idle Browser Simulation

Engage millions in addictive baking fun - Cookie Clicker ramps up user retention with layered upgrades and strategic progression in an idle format.

View Product
Minesweeper for Chrome - Logic Puzzle

Minesweeper for Chrome - Logic Puzzle

Revitalize a classic with Minesweeper for Chrome - an engaging logic puzzle that enhances site interaction and encourages multiple playthroughs.

View Product
Custom Cursor Pro - Custom Cursor

Custom Cursor Pro - Custom Cursor

Elevate your Chrome experience with Custom Cursor Pro: a premium suite of handcrafted cursors engineered for performance, style, and seamless integration.

View Product
Custom Cursor Trail - Interactive Effects

Custom Cursor Trail - Interactive Effects

Stand out with Custom Cursor Trail - a Chrome extension that traces your pointer in vivid effects to captivate visitors and boost brand recall.

View Product
Cursor Cat - Animated Pointer Companion

Cursor Cat - Animated Pointer Companion

Delight users with Cursor Cat - a playful Chrome extension that adds a charming feline sidekick to every cursor move, boosting UX and shareability.

View Product