- A new phishing attack method targets FIDO key authentication by exploiting cross-device sign-in features.
- The attack uses fake login pages and QR code relays to trick users into authorizing access for attackers.
- The threat actor, known as PoisonSeed, has leveraged this method in recent campaigns aimed at stealing digital assets.
- This technique does not exploit a protocol flaw in FIDO but downgrades authentication to a method susceptible to phishing when proximity checks are not enforced.
- Security teams are advised to monitor for strange QR code logins, enforce device verification, and use phishing-resistant recovery options.
On July 21, 2025, Cybersecurity researchers revealed that attackers have developed a way to bypass protections offered by FIDO authentication keys by taking advantage of a cross-device sign-in feature used in many enterprise login systems. The attack works by tricking users into using their devices to validate fraudulent login attempts made from spoofed company portals.
According to findings from Expel, the technique centers on phishing emails that direct victims to fake company login pages, such as imitations of the enterprise Okta portal. When users enter their details on these sites, attackers relay the authentication request to the actual login page and trigger a cross-device sign-in, which returns a QR code. This QR code is sent back through the phishing site and presented to the victim, who may scan it using their mobile device, unknowingly allowing the attacker access.
Researchers Ben Nahorney and Brandon Overstreet noted that the method is part of adversary-in-the-middle (AitM) attacks. “The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” they wrote. “However, the bad actors in this case are using this feature in adversary-in-the-middle attacks.” Expel attributes this activity to PoisonSeed, a group known for phishing campaigns that steal credentials and drain victims’ cryptocurrency wallets by distributing fake seed phrases.
The attack specifically targets situations where cross-device sign-in is not protected by strict proximity checks, such as Bluetooth or direct device connection. If hardware security keys are plugged directly into the device or if platform-bound authenticators (like Face ID) are enforced, the attack is ineffective.
Cross-device sign-in, explained by Passkey Central’s guidelines, lets users authenticate on one device by verifying their identity on another device that holds the digital key. Attackers exploit this feature by relaying QR codes quickly from the target system to the victim, who then unwittingly completes the malicious login process.
Expel also reported an incident where an attacker enrolled their own FIDO key after gaining access and resetting a victim’s password. To boost security, organizations are urged to verify the devices used during login, prefer same-device logins, monitor for unusual QR code logins, and use phishing-resistant account recovery. Visible security details such as device information and location can also help users spot suspicious activity.
Researchers emphasized the need for robust, phishing-resistant authentication at every step of user account management to prevent this type of exploitation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- China Invites 30 Nations to SCO 2025 for De-Dollarization Talks
- Trump Signs GENIUS Act, Ripple’s RLUSD Eyes USDC and PayPal USD
- Over 3,500 Websites Hit by Stealth JavaScript Crypto Miners
- Consensys to Release Urgent MetaMask Fix for SSD Overwrite Bug
- Netflix Uses Generative AI for VFX in Argentinian Series “The Eternaut”
