Expel said that PoisonSeed has found a clever sleight of hand to bypass this crucial step. As the user enters the username and password into the fake Okta site, a PoisonSeed team member enters them in real time into a real Okta login page. As Thursday’s post went on to explain:
In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.
This process—while seemingly complicated—effectively bypasses any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.
How FIDO makes such attacks impossible
The end result, the security firm said, was an adversary-in-the-middle attack that tampered with the QR code process to bypass FIDO MFA. As noted earlier, writers of the FIDO spec anticipated such attack techniques and built defenses that make them impossible, at least in the form described by Expel. Had the targeted Okta MFA process followed FIDO requirements, the login would have failed for at least two reasons.
First, the device providing the hybrid form of authentication would have to be physically close enough to the attacker device logging in for the two to connect over Bluetooth. Contrary to what Expel said, this is not an “an additional security feature.” It’s mandatory. Without it, the authentication will fail.
Second, the challenge the hybrid device would have to sign would be bound to the domain of the fake site (here okta[.]login-request[.]com) and not the genuine Okta.com domain. Even if the hybrid device was in close proximity to the attacker device, the authentication would still fail, since the URLs don’t match.
What Expel seems to have encountered is an attack that downgraded FIDO MFA with some weaker MFA form. Very likely, this weaker authentication was similar to those used to log in to a Netflix or YouTube account on a TV with a phone. Assuming this was the case, the person who administered the organization’s Okta login page would have had to deliberately choose to allow this fallback to a weaker form of MFA. As such, the attack is more accurately classified as a FIDO downgrade attack, not a bypass.