The end result, the security firm said, was an adversary-in-the-middle attack that tampered with the QR code process to bypass FIDO MFA. As noted earlier, writers of the FIDO spec anticipated such attack techniques and built defenses that make them impossible, at least in the form described by Expel.
What Expel seems to have encountered is an attack that downgraded FIDO MFA with some weaker MFA form.
As such, the attack is more accurately classified as a FIDO downgrade attack, not a bypass.
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Remove Nitrokey | 41 | 2452 | May 6, 2025 | |
| Anti-phishing code. Why is it not a common security measure? | 13 | 338 | November 1, 2024 | |
| The trouble with decommissioning a used FIDO security key | 5 | 407 | January 15, 2025 | |
| Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish | 11 | 664 | March 27, 2025 | |
| Need help bypassing forgotten private key passphrase | 5 | 387 | October 1, 2023 |
Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.
Privacy Guides is a non-profit, socially motivated website that provides information for protecting your data security and privacy.
We do not make money from recommending certain products, and we do not use affiliate links.