FIDO isn’t broken, just outsmarted: Expel researchers called the campaign a concerning development, given that FIDO keys are often regarded as one of the pinnacles of secure MFA. “While we haven’t uncovered a vulnerability in FIDO keys, IT and SecOps folks will want to sit up and take notice,” they said. “This attack demonstrates how a bad actor could run an end-route around an installed FIDO key.”Experts unanimously echoed Expel’s concerns. Darren Guccione, CEO and co-founder at Keeper Security, said, “These attacks aren’t cracking FIDO’s cryptography instead, they exploit trusted alternative login methods, like QR-based sign-ins, to trick users into unintentionally initiating legitimate login sessions that are controlled by the attacker.”FIDO’s strength lies in its hardware-backed protection, which remains incredibly resilient, he added.J Stephen Kowski, field CTO at SlashNext, offered a different solution. “Organizations should definitely take this seriously and consider implementing additional safeguards like requiring Bluetooth proximity between devices during cross-device authentication, while also ensuring their security solutions can detect and block these sophisticated phishing attempts before they reach users,” he said. For users who absolutely need to have FIDO cross-device sign-in turned on, Expel recommends properly checking if sign-in requests came from suspicious locations and looking for registration of unfamiliar, unexpected, or untrusted keys.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4025710/poisonseed-outsmarts-fido-keys-without-touching-them.html
