Cybersecurity researchers have uncovered a new attack method that allows threat actors to weaken Fast IDentity Online (FIDO) key protections by tricking users into approving authentication requests from fake company login portals.
FIDO keys are designed to prevent phishing by linking logins to specific domains using public-private key cryptography. In this instance, attackers exploit a legitimate feature—cross-device sign-in—to deceive victims into unknowingly authenticating malicious sessions.
This activity, identified by Expel in a phishing campaign, has been linked to a threat actor named PoisonSeed, who has been using compromised credentials from customer relationship management tools and bulk email providers to send spam messages containing cryptocurrency seed phrases.
“The attacker manipulates cross-device sign-in features available with FIDO keys,” explained researchers Ben Nahorney and Brandon Overstreet. “However, in this case, bad actors use this feature in adversary-in-the-middle attacks.”
This technique targets users authenticating through cross-device flows without strict proximity checks, such as Bluetooth or local device attestation. If hardware security keys are mandated or platform-bound authenticators like Face ID are used, the attack chain is disrupted.
Cross-device sign-in enables users to sign in on a device without a passkey using another device that holds the cryptographic key.
The attack scenario documented by Expel starts with a phishing email directing recipients to a fake sign-in page resembling the company’s Okta portal. Once credentials are entered, the information is covertly sent to the genuine login page by the fake site.
The phishing site instructs the legitimate login page to use the hybrid transport method for authentication, leading to the display of a QR code that is sent back to the phishing site and shown to the victim.
If the user scans the QR code with their authenticator app on their mobile device, it allows attackers to gain unauthorized access to the victim’s account.
The unique aspect of this attack is its ability to bypass FIDO key protections and enable threat actors to access user accounts. The method does not exploit any FIDO implementation flaws but rather misuses a legitimate feature to downgrade authentication. FIDO2 is resistant to phishing, but its cross-device login flow, known as hybrid transport, can be abused without proximity verification like Bluetooth. In this flow, users can log in on a desktop by scanning a QR code with a mobile device holding their passkey.
Expel also reported a separate incident where a threat actor enrolled their FIDO key after compromising an account through a phishing email and resetting the user’s password. To enhance user account protection, organizations should combine FIDO2 authentication with device verification checks. Logins should ideally occur on the same device with the passkey to reduce phishing risks. Security teams should monitor unusual QR code logins or new passkey enrollments and implement phishing-resistant methods for account recovery options. The findings emphasize the importance of implementing phishing-resistant authentication throughout the account lifecycle, including during recovery phases, as using a vulnerable authentication method can compromise the entire identity infrastructure.
(This article was revised post-publication to clarify that the attack technique does not bypass FIDO protections but instead downgrades authentication to a susceptible phishing method.)
