Phishing-Resistant No More? New Attack Bypasses FIDO Passkeys with Downgrade Trick

FIDO-based passkeys are widely regarded as one of the strongest defenses against phishing and account takeover (ATO) attempts. But new research from Proofpoint shows that even these “phishing-resistant” methods are not entirely bulletproof. In a recently published analysis, the company reveals how attackers could exploit a downgrade attack to bypass FIDO protections, potentially opening the door to adversary-in-the-middle (AiTM) compromises.

According to Proofpoint, “FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats.” However, they warn that “FIDO-based authentication can be side-stepped using a downgrade attack.”

The attack hinges on a modified “phishlet” — a configuration file used by advanced phishing kits like Evilginx to impersonate legitimate login portals and capture credentials or tokens. Standard phishlets fail against FIDO-secured accounts, often triggering an error and halting the attack. But Proofpoint researchers developed a specialized variant that instead forces a fallback to a weaker authentication method.

The process leverages user agent spoofing to mimic an unsupported browser for FIDO2 authentication. For example, “FIDO is not supported when using Safari on Windows.” If the platform detects this “incompatible” setup, it prompts the user to choose an alternative login option, such as Microsoft Authenticator or SMS-based MFA.

Proofpoint outlines the downgrade phishing chain as follows:

1. Phishing Lure – A malicious link is sent via email, SMS, or OAuth consent request.
2. Forced Downgrade – The victim sees an error prompting them to select another sign-in method.
3. Credential & Token Theft – Upon using the alternative MFA, the attacker “is able to intercept and view the login credentials and session cookie, as they would in a standard AiTM phishing attack.”
4. Session Hijacking – The stolen session cookie is imported into the attacker’s browser, allowing full account access without further authentication.

Proofpoint notes that once inside, attackers could engage in “data exfiltration and lateral movement within the affected environment.”

Currently, there is no evidence that FIDO downgrade attacks are being used in the wild. Proofpoint suggests this is because many attackers prefer lower-effort, high-success methods targeting accounts with weaker MFA or no MFA at all. Additionally, “creating or adapting a phishlet to facilitate a FIDO downgrade attack requires a deeper understanding and specialized knowledge,” which deters less sophisticated operators.

Still, the company warns that advanced persistent threats (APTs) and technically skilled cybercriminals could adopt this technique as FIDO adoption grows.

As AiTM phishing kits and Phishing-as-a-Service (PhaaS) platforms evolve, Proofpoint expects that downgrade capabilities could be integrated into future toolkits.

Related Posts:

• FIDO Alliance Unveils New Draft Specifications for Secure Credential Exchange
• Google Password Manager Adds Passkeys, Future Export Teased
• Passkeys: Microsoft’s Solution to 7,000 Password Attacks Per Second
• Microsoft Pushes Passwordless: New Accounts Default to Passkeys & MFA