“If a user whose account is protected by a FIDO key enters their username and password into the phishing page, their credentials will be stolen, just as any other user,” Expel researchers in a blog post. “But with a FIDO protecting their account, the attackers are unable to physically interact with the second form of authentication.”
PoisonSeed attackers seem to have cracked this with a new trick. Instead of stealing or cloning a FIDO key, the attackers just convince users to scan a QR code, an exact copy of the QR prompted in a legitimate cross-device sign-in, that completes the malicious login for them.
“This is a fun attack, and one we all need to instrument for,” said Trey Ford, chief information security officer at Bugcrowd. “Yes, this is doable, and what we need to keep in mind is that every security control, on some level, will have failure modes.”
