New downgrade attack can bypass FIDO auth in Microsoft Entra ID

https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/

26•mikece•5mo ago

Comments

moi2388•5mo ago

Pff.. again an Entra ID security flaw? It’s incredibly how sloppy their single auth solution is..

Loudergood•5mo ago

Safari on Windows? That browser hasn't been supported since 2012...

lousken•5mo ago

What if you have conditional access policy requiring phishing resistant auth to be able to login?

parliament32•5mo ago

Then the attack won't work, because this depends on you (for some reason) having both FIDO and non-phishing-resistant MFA methods available at the same time.

parliament32•5mo ago

It's not clear who this is an attack for.. organizations that have implemented phishing-resistant MFA will already have CA policy to block any sign-ins that don't have the required authentication strength (that same "You can't get there from here" message users in unsupported browsers get). Maybe it's effective if the organization is in the middle of a rollout, where FIDO is enabled but old MFA methods haven't been disabled yet?

EDIT: This is actually called out in the article:

> The attack sequence relies on the existence of an alternative authentication method (usually MFA), besides FIDO, for the targeted user account. But luckily, this tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery.

Most orgs will have TAP for account recovery, but that's not really phishable for other reasons.

tatersolid•5mo ago

Basically all other identity providers are also vulnerable to phishers which strip out webautn calls in the payload when acting as a proxy to the real IdP.

Basically you must disable all other phishable forms of MFA fallback if you want phishing-resistant FIDO2/passkeys. Conditional access policies in Entra can do this selectively or org-wide. If you don’t do this you’re relying on “end user training and wariness” again as phishing protection.

parliament32•5mo ago

Yes, exactly. But there is little point of going through the pain and effort of rolling out phishing-resistant MFA if you're going to leave non-phishing-resistant methods available / as a fallback...

esseph•5mo ago

Hmmmmmmm

https://taptrap.click/

dvno42•5mo ago

Since this relies on simulating safari as the broswer, I wonder if a conditional access policy enforcing browser selection would help mitigate this.

While only realistic for a small number of users, I've started enforcing users of privileged tools to go through a wireguard instance before being allowed to access Azure hosted tools that rely on Entra auth. Services I publish then have a ingress whitelist of said wireguard VM.

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models

Ed Zitron: The Hater's Guide to Microsoft

UK infants ill after drinking contaminated baby formula of Nestle and Danone

Show HN: Android-based audio player for seniors – Homer Audio Player

Starter Template for Ory Kratos

LLMs are powerful, but enterprises are deterministic by nature

Make your iPad 3 a touchscreen for your computer

Internationalization and Localization in the Age of Agents

Building a Custom Clawdbot Workflow to Automate Website Creation

Why the "Taiwan Dome" won't survive a Chinese attack

Xkcd: Game AIs

Windows 11 is finally killing off legacy printer drivers in 2026

From Offloading to Engagement (Study on Generative AI)

AI for People

Rome is studded with cannon balls (2022)

8-piece tablebase development on Lichess (op1 partial)

US to bankroll far-right think tanks in Europe against digital laws

Ask HN: Have AI companies replaced their own SaaS usage with agents?

pi-nes

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models

Ed Zitron: The Hater's Guide to Microsoft

UK infants ill after drinking contaminated baby formula of Nestle and Danone

Show HN: Android-based audio player for seniors – Homer Audio Player

Starter Template for Ory Kratos

LLMs are powerful, but enterprises are deterministic by nature

Make your iPad 3 a touchscreen for your computer

Internationalization and Localization in the Age of Agents

Building a Custom Clawdbot Workflow to Automate Website Creation

Why the "Taiwan Dome" won't survive a Chinese attack

Xkcd: Game AIs

Windows 11 is finally killing off legacy printer drivers in 2026

From Offloading to Engagement (Study on Generative AI)

AI for People

Rome is studded with cannon balls (2022)

8-piece tablebase development on Lichess (op1 partial)

US to bankroll far-right think tanks in Europe against digital laws

Ask HN: Have AI companies replaced their own SaaS usage with agents?

pi-nes

New downgrade attack can bypass FIDO auth in Microsoft Entra ID

Comments