FIDO Authentication Downgrade Threat: Proofpoint Uncovers New Risk

Proofpoint threat researchers have uncovered an attack method that lets cybercriminals downgrade FIDO (Fast Identity Online) authentication. This poses risks for both organizations and individuals. While FIDO-based passkeys are among the strongest defenses against phishing and account takeover (ATO), attackers can still exploit accounts that allow alternative, less secure login methods.

Understanding FIDO Authentication

FIDO is an open set of standards developed by the FIDO Alliance to enhance online security and reduce reliance on traditional passwords. By using hardware security keys, biometrics, or PINs, FIDO provides phishing-resistant authentication that protects users from common credential theft. It eliminates the need for conventional passwords, significantly reducing the success rate of typical phishing campaigns.

How Adversary-in-the-Middle Attacks Work

Before FIDO adoption, many credential theft attempts relied on adversary-in-the-middle (AiTM) attacks. In these cases, a victim receives a phishing email with a link to a fake login page. This page is connected to a reverse proxy, which intercepts both the entered credentials and any multi-factor authentication (MFA) tokens, enabling attackers to hijack the session.

With FIDO in place, most phishing attempts using standard tools—known as phishlets—fail to succeed. However, Proofpoint’s findings show that attackers can adapt their methods to downgrade authentication.

The Downgrade Technique

Not all web browsers support passkey (FIDO2) authentication for Microsoft Entra ID. For instance, Safari on Windows does not. Attackers can exploit this gap by spoofing an unsupported browser, forcing users to switch to a weaker login method.

This works best when alternative authentication options remain active—a common setup for account recovery. By triggering the downgrade, attackers can bypass FIDO and access accounts using less secure MFA or even passwords.

Proofpoint’s Findings

Proofpoint researchers developed a specialized phishlet for the Evilginx AiTM attack framework, enabling them to simulate this downgrade process. By forcing a user to log in with a weaker method, attackers could steal credentials, capture session cookies, and execute account takeovers.

Moreover, this vulnerability demonstrates that “phishing-resistant” authentication can still be at risk if fallback methods are left in place without additional safeguards.

Why It Matters for Organizations

Cybersecurity experts warn that as more companies adopt FIDO to defend against phishing, threat actors will likely refine their techniques to include downgrade attacks in their tactics, techniques, and procedures (TTPs). Organizations relying solely on FIDO without tightening fallback methods may be leaving a critical gap in their security posture.

The Road Ahead

While the current threat landscape still focuses heavily on accounts without MFA or with weaker MFA methods, the sophistication of cybercriminals means that even FIDO-protected systems must be continuously reviewed. Proactive security governance, combined with user education and infrastructure hardening, will be key in ensuring authentication methods remain truly phishing-resistant.

Check out our previous post on Vertiv OneCore Launch Accelerates Scalable Data Center