Tag Archives: FIDO Alliance

Update to my July 21 post “PoisonSeed: Cross-Device Authentication Shouldn’t Allow Authentication on a Fraudster’s Device.” FIDO’s cross-device authentication is NOT inherently insecure.

From Chris Burt at Biometric Update:

“A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.

“The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.”

Proper implementation and configuration is essential.

(Important July 30 update here.)

(Imagen 4)

The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.

Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:

“Cross device authentication allows a user to sign in with their device using a QR code. 

“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.

“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”

What could go wrong? Well, according to Expel, plenty:

“After entering their username and password on the phishing site, the user was presented with a QR code…. 

“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.

“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”

Presumably the FIDO Alliance will address this soon.