Research has revealed a phishing attack that exploits cross-device sign-ins, circumventing FIDO-based multifactor authentication (MFA) by downgrading it to a non-FIDO process. The attack begins with an email linking to a fake Okta login page that requests valid credentials from users. Once users provide their username and password, attackers can access the account. FIDO technology requires a security key for user identity verification, which safeguards against such phishing scenarios, although cross-device sign-in may allow for unauthorized access if not managed properly.
The phishing attack bypasses a multifactor authentication scheme based on FIDO, the standard considered immune to credential phishing attacks, leading to unauthorized access.
This novel attack technique starts with an email linking to a fake Okta login page, prompting visitors to enter their valid username and password.
The FIDO specs require an additional authentication factor lasting security by utilizing a cryptographic key to sign challenges sent by the site to the browser.
A user may use a cross-device sign-in feature to authenticate, which allows access even if the passkey is not on the device being used.
Collection
[
|
...
]