“PoisonSeed” attack does not bypass hardware MFA

A recent report that appeared to demonstrate a new kind of attack able to bypass the Fast Identity Online Alliance (FIDO) hardware multi-factor authentication (MFA) has turned out more benign.

United States based security vendor Expel outlined the “PoisonSeed” attack which used a convoluted man-in-the-middle social engineering technique to allegedly bypass FIDO hardware keys.

FIDO hardware keys are considered the gold standard in phishing resistance, and an attack that could successfully bypass them would cause considerable consternation in the security industry.

As it happens, “PoisonSeed” not bypass hardware authentication keys, security vendor Yubico told iTNews.

“The research from Expel does not demonstrate a flaw in the design of passkeys, and is not a bypass of FIDO security keys,” a Yubico spokesperson said.

“It outlines an attack method where any chosen delegated backup authentication method that is inherently phishable – such as an authenticator app leveraging QR codes – could be intercepted,” the spokesperson added.

Yubico recommends users to carefully consider all authentication flows in any identity ecosystem.

This includes using phishing-resistant authentication at all steps in an account lifecycle, and the recovery flows discussed in the Expel blog, given they are a common attack vector, the spokespeson explained.

“This also highlights the need for applications to offer the ability to disable other phishable MFA options, and require FIDO security keys or FIDO-based authentication only,” the spokesperson added.

After publication of its report, Expel confirmed to United States media that the attack is in fact an MFA downgrade, and not a bypass. Expel has since updated its blog post to reflect this.

The FIDO Alliance was contacted for comment but did not respond in time for publication.