🔐 Overview
Despite the rise in phishing‑resistant authentication methods such as FIDO2-based passkeys, WebAuthn, Windows Hello, and physical security keys attackers continue to successfully bypass them using more sophisticated phishing techniques.
🧪 Attack Techniques Used
1. Downgrade Attacks
- Attackers use modern attacker‑in‑the‑middle (AiTM) phishing tools (e.g. Evilginx) to intercept authentication flows.
- They modify MFA prompts so users are steered toward fallback methods like SMS OTP or authenticator codes discarding passkeys altogether.
- As a result, even if phishing-resistant options exist, the user is tricked into selecting less secure alternatives, making the attack succeed.
2. Device‑Code Phishing
- For devices without browser support, attackers exploit the “device code flow” (e.g. login by entering a code on another device).
- Users are convinced to enter codes issued by attackers on real login pages, effectively granting the attacker access to the account even when passkeys are supported on other devices.
3. Consent Phishing (OAuth Abuse)
- Although not detailed in BleepingComputer’s own article, security researchers highlight abuse of OAuth/SaaS consent flows.
- Phishing apps request excessive permissions; once granted, attackers can bypass MFA and retain access despite password changes or enabling stronger MFA all by abusing the granted OAuth consent.
⚖️ Why These Methods Still Work
- Phishing-resistant solutions rely on cryptographic bindings to specific domains (e.g. passkeys only work for the original site domain), which protects against direct credential theft.
- However, most accounts still retain legacy fallback methods like OTPs or SMS codes. Attackers exploit these through downgrade techniques, making the presence of secure options moot if weaker ones remain active.
✅ Mitigation Strategies
- Eliminate or minimize fallback options such as SMS OTPs or recovery codes wherever possible. Enforce passkey or device‑bound authentication exclusively to reduce downgrade risks.
- Implement device‑bound session controls, like Google’s Device-Bound Session Credentials (DBSC), to ensure session tokens can only be refreshed from the actual device.
- Strengthen OAuth governance: vigilantly audit and disable suspicious or unnecessary third‑party OAuth applications, avoiding broad permissions grants.
- Use physical FIDO2 security keys that require explicit physical action or biometric confirmation, and enforce proximity, geolocation, or user verification checks to prevent remote QR code-based bypass attacks.
🧾 Summary
Even with advanced, phishing‑resistant login systems, attackers are adapting with rollback techniques such as downgrade attacks and device‑flow phishing. These exploit weak or fallback authentication paths. Effective defense requires removing insecure MFA alternatives, enforcing passkeys or hardware-bound methods, governing OAuth permissions carefully, and leveraging additional safeguards like proximity checks and device‑bound session tokens.
