Cybersecurity researchers have identified a sophisticated new phishing method that undermines Fast IDentity Online (FIDO) security by exploiting legitimate features, allowing threat actors to bypass authentication safeguards. This technique, which leverages cross-device sign-in flows, has been seen in the wild and attributed to a group named PoisonSeed.
FIDO keys—widely regarded as a phishing-resistant authentication method—use public-private key cryptography to link user authentication with specific domains. However, attackers have now discovered a way to manipulate FIDO’s cross-device login functionality, which allows users to authenticate on one device using a passkey stored on another, such as a mobile phone.
“The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” explained researchers Ben Nahorney and Brandon Overstreet from cybersecurity firm Expel. “However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.”
The phishing campaign begins with a spoofed email directing users to a fake enterprise login page that closely resembles platforms like Okta. Once the victim enters valid credentials, the phishing site secretly forwards the login attempt to the real authentication portal, triggering the cross-device login process. The legitimate site then generates a QR code for hybrid authentication, which the phishing site captures and displays to the victim. When the user scans the QR code using their mobile authenticator, the attacker gains access to the session.
“The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in,” Expel stated.
This tactic doesn’t exploit a flaw in the FIDO protocol itself, but instead abuses its flexibility. Specifically, attacks are successful when proximity-based verification, like Bluetooth or local device binding, is not enforced. In more secure environments that require physical security keys or on-device authenticators like Face ID, the attack would fail.
Expel also highlighted a separate incident where an attacker, after compromising an account, enrolled their own FIDO key and reset the password—further compromising security.
Experts recommend organizations enforce device-level validation during authentication, monitor for new passkey registrations, and display contextual login information (e.g., location, device type) during cross-device flows to reduce the risk of deception.
As researchers noted, “AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts.”
 security by expl...){kind=link}