FIDO authentication vulnerability: New downgrade attack bypasses passkey security

Passkeys and FIDO authentication are designed to provide robust protection against phishing attacks. However, researchers have now discovered a critical loophole that can undermine even strong passkey authentication. Attackers can exploit a targeted downgrade technique to force users into using insecure login methods. This risk grows as FIDO adoption spreads across organizations.

Proofpoint uncovers downgrade gap in FIDO

Cybersecurity experts from Proofpoint have identified a method to bypass FIDO authentication. “FIDO” stands for “Fast Identity Online” and represents a standard designed to ensure secure, user-friendly logins, particularly with passkeys. While FIDO normally provides reliable protection against phishing and account takeovers, a downgrade attack can weaken certain implementations—especially Windows Hello for Business.

Why the attack works

Most phishing kits (known as “phishlets”) are designed for traditional login credentials and typically fail when confronted with FIDO authentication. However, with certain platforms such as Microsoft Entra ID, an attacker can redirect the login process to a less secure method.

The key vulnerability lies in browser compatibility: Some browsers, such as Safari running on Windows, do not support FIDO2. Attackers can simulate such a browser environment in an adversary-in-the-middle (AitM) attack, forcing the user to switch to an alternative login method.

How a FIDO downgrade attack works

The Proofpoint experts developed a customized phishlet for the Evilginx attack framework. The prerequisite is that the target account must have an additional login option available alongside FIDO—usually maintained for account recovery purposes. The attack unfolds in four stages:

1. Contact: The victim receives a malicious link via email, SMS, or OAuth request.
2. Downgrade: An error message prompts the user to select alternative authentication.
3. Data Theft: Login credentials and MFA tokens are intercepted through the fake authentication page.
4. Account Takeover: The stolen session cookie grants the attacker full access without further authentication challenges.

No active exploitation yet—but potentially dangerous

According to Proofpoint, there is currently no evidence that cybercriminals are actively using this method in the wild. Nevertheless, security experts consider it an emerging threat, particularly for organizations that rely on supposedly “phishing-resistant” authentication methods.

As passkeys and FIDO authentication gain wider adoption, this technique could soon become integrated into sophisticated attack chains—potentially eroding the security advantage that FIDO has traditionally provided.ould soon become part of complex attack chains – and reduce the security advantage that FIDO has offered to date.

The full analysis by the Proofpoint experts can be found in the cybersecurity company’s latest blog.

(vp/Proofpoint)