Social Engineering: Bypassing FIDO Key Security

Published Date : 7/21/2025 

FIDO keys, designed to enhance multi-factor authentication, are facing new threats from sophisticated social engineering attacks. Learn how these attacks work and what steps IT and security professionals can take to protect their systems. 

FIDO keys, a phishing-resistant multi-factor authentication tool designed to replace traditional passwords, may be vulnerable to social engineering attacks that can circumvent one of its key security protections. Security software company Expel has detected a new type of adversary-in-the-middle (AitM) attack that exploits the 'cross-device sign-in' feature, allowing attackers to downgrade FIDO key authentication.

Expel attributes this attack to the PoisonSeed attack group, known for large-scale phishing campaigns targeting cryptocurrency wallets. The Managed Detection and Response (MDR) provider warns that while no vulnerability has been found in FIDO keys themselves, this attack demonstrates how bad actors can effectively bypass installed FIDO keys.

Expel detected the attack after one of its customers reported an incident. Several employees received phishing emails directing them to a fake Okta sign-in page. One of the targeted employees entered their username and password on the phishing site. When a user attempts to log in from a new device, a login page usually displays a QR code, which can be scanned with an authentication app on the phone to confirm the user's identity. In this case, the fake site requested a cross-device sign-in from the real login page, which generated a legitimate QR code. The fraudulent site then showed this real QR code to the employee, who scanned it with their phone’s authentication app, unknowingly giving the hackers access to their account.

Using a FIDO key typically prevents such attacks, as hackers can steal a username and password but cannot physically touch a security key. However, in this attack, the MFA app used to scan the QR code presented by the hackers acts as the authenticator, effectively neutralizing the protections that a FIDO key grants. This process gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools.

Security experts have provided additional technical clarification related to the attack. FIDO credentials are designed to resist and fight off cyber-attacks, including phishing and data breach attacks. The writers of FIDO specifications have anticipated adversary-in-the-middle (AitM) attack techniques, meaning that if the targeted Okta MFA process followed FIDO requirements, the login would have failed.

First, the device providing the hybrid form of authentication would have to be physically close enough to the attacker device logging in for the two to connect over Bluetooth. Second, the challenge the hybrid device would have to sign would be bound to the domain of the fake site (e.g., okta[.]login-request[.]com) and not the genuine Okta.com domain. Even if the hybrid device was in close proximity to the attacker device, the authentication would still fail, since the URLs do not match.

Expel has seemingly encountered an attack that downgrades FIDO MFA to a weaker MFA form. This downgrade was likely made possible by a deliberate decision from the person who administered the organization’s Okta login page. To avoid such attacks, admins should carefully consider the risks before allowing their FIDO-protected authentication processes to fall back to other forms. 

Frequently Asked Questions (FAQS): 

Q: What are FIDO keys and how do they work?

A: FIDO keys are security devices that provide strong multi-factor authentication (MFA) to protect against phishing and other cyber-attacks. They work by generating a unique, one-time code for each login attempt, which is verified by the authentication server.

Q: What is an adversary-in-the-middle (AitM) attack?

A: An AitM attack is a type of cyber-attack where the attacker intercepts and possibly alters the communication between two parties, often to steal sensitive information or bypass security measures.

Q: How can social engineering attacks bypass FIDO key security?

A: Social engineering attacks can bypass FIDO key security by tricking users into using a weaker form of MFA, such as scanning a QR code on a phishing site, which can grant attackers access to the user's account.

Q: What steps can IT administrators take to prevent such attacks?

A: IT administrators should carefully manage authentication processes, avoid allowing FIDO-protected systems to fall back to weaker MFA forms, and educate employees about the risks of phishing and social engineering attacks.

Q: What is the role of Bluetooth in these attacks?

A: Bluetooth can be used in these attacks to facilitate the connection between the user's device and the attacker's device, allowing the attacker to intercept and manipulate the authentication process. 

More Related Topics :