Circumvention or weakening of MFA? At Expel, we initially used the first term… before conceding that the second was more appropriate.
The subject of the debate: an attack technique uncovered by this American cybersecurity firm. Attributed to the PoisonSeed group, it exploits a legitimate feature of the WebAuthn protocol: cross-device FIDO authentication.
Bluetooth proximity, really optional?
The scenario described by Expel begins with a targeted phishing campaign aimed at employees. A link leads to a fake authentication page imitating their company’s portal (Okta).
When a user enters their credentials, they are sent to the “real” back-end, with an additional request: to use cross-device authentication.
This mechanism allows the login to be validated from another device already registered on the authentication portal. Typically, a mobile phone. The back-end presents a QR Code to scan. Here, it is the fake site that receives it… and relays it to the user.
Such a scenario presumes that the targeted company has enabled the cross-device authentication option. Moreover, Expel assumes that Bluetooth proximity between the two devices is optional. Yet, the FIDO alliance does not say the same, and major implementations lean in that direction.
On the same theme
See all Cybersecurity articles
With CyberArk, Palo Alto Eyes a New Acquisition in the […]
By
Clément Bohic
4 min.
AWS patches a software supply chain flaw […]
By
Clément Bohic
ToolShell: the situation one week after the fixes
By
Clément Bohic
{ Expert Column } – The three levers for security teams in […]
By
Josh Lemos *
Between predictive and generative AI, cybersecurity solutions are weighing up
By
Clément Bohic
