New downgrade attack can bypass FIDO auth in Microsoft Entra ID

https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/

15•mikece•2h ago

Comments

moi2388•1h ago

Pff.. again an Entra ID security flaw? It’s incredibly how sloppy their single auth solution is..

Loudergood•1h ago

Safari on Windows? That browser hasn't been supported since 2012...

lousken•1h ago

What if you have conditional access policy requiring phishing resistant auth to be able to login?

parliament32•1h ago

It's not clear who this is an attack for.. organizations that have implemented phishing-resistant MFA will already have CA policy to block any sign-ins that don't have the required authentication strength (that same "You can't get there from here" message users in unsupported browsers get). Maybe it's effective if the organization is in the middle of a rollout, where FIDO is enabled but old MFA methods haven't been disabled yet?

EDIT: This is actually called out in the article:

> The attack sequence relies on the existence of an alternative authentication method (usually MFA), besides FIDO, for the targeted user account. But luckily, this tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery.

Most orgs will have TAP for account recovery, but that's not really phishable for other reasons.

tatersolid•6m ago

Basically all other identity providers are also vulnerable to phishers which strip out webautn calls in the payload when acting as a proxy to the real IdP.

Basically you must disable all other phishable forms of MFA fallback if you want phishing-resistant FIDO2/passkeys. Conditional access policies in Entra can do this selectively or org-wide. If you don’t do this you’re relying on “end user training and wariness” again as phishing protection.

dvno42•1h ago

Since this relies on simulating safari as the broswer, I wonder if a conditional access policy enforcing browser selection would help mitigate this.

While only realistic for a small number of users, I've started enforcing users of privileged tools to go through a wireguard instance before being allowed to access Azure hosted tools that rely on Entra auth. Services I publish then have a ingress whitelist of said wireguard VM.

PYX: The next step in Python packaging

Nginx introduces native support for ACME protocol

NIST Finalizes 'Lightweight Cryptography' Standard to Protect Small Devices

OCaml as my primary language

VC-backed company just killed my EU trademark for a small OSS project

FFmpeg 8.0 adds Whisper support

Illinois bans use of artificial intelligence for mental health therapy

PCIe 8.0 announced by the PCI-Sig will double throughput again

Launch HN: Golpo (YC S25) – AI-generated explainer videos

Cross-Site Request Forgery

So what's the difference between plotted and printed artwork?

Rerank-2.5 and rerank-2.5-lite: instruction-following rerankers

Pebble Time 2 Design Reveal [video]

Coalton Playground: Type-Safe Lisp in the Browser

DoubleAgents: Fine-Tuning LLMs for Covert Malicious Tool Calls

ReadMe (YC W15) Is Hiring a Developer Experience PM

OpenIndiana: Community-Driven Illumos Distribution

New treatment eliminates bladder cancer in 82% of patients

Fighting with YouTube to show a preview image

The Mary Queen of Scots Channel Anamorphosis: A 3D Simulation

Electrically controlled heat transport in graphite films

Claude says “You're absolutely right!” about everything

We caught companies making it harder to delete your personal data online

April Fools 2014: The *Real* Test Driven Development (2014)

Job Listing Site Highlighting H-1B Positions So Americans Can Apply

A case study in bad hiring practice and how to fix it

US national debt reaches a record $37T, the Treasury Department reports

This website is for humans

29 years later, Settlers II gets Amiga release

Gartner's grift is about to unravel