A novel attack technique has been discovered by cybersecurity researchers, allowing threat actors to downgrade Fast IDentity Online (FIDO) key protections. The attackers deceive users into approving authentication requests from spoofed company login portals, exploiting a legitimate feature – cross-device sign-in. This method doesn’t work in all scenarios and specifically targets users authenticating via Bluetooth or local device attestation.
The attack chain commences with a phishing email that lures recipients to log into a fake sign-in page mimicking the enterprise’s Okta portal. Once victims enter their credentials, the sign-in information is relayed to the real login page. If the user scans the QR code with their MFA authenticator, it allows attackers to gain unauthorized access.
FIDO2 keys are designed to resist phishing, but its cross-device login flow – known as hybrid transport – can be misused if proximity verification like Bluetooth is not enforced. Attackers can intercept and relay that QR code in real time via a phishing site, tricking users into approving the authentication on a spoofed domain.
To protect user accounts, organizations should pair FIDO2 authentication with checks that verify the device being used. Logins should happen on the same device holding the passkey to limit phishing risk. Security teams should watch for unusual QR code logins or new passkey enrollments and use phishing-resistant methods for account recovery options.
Source: https://thehackernews.com/2025/07/poisonseed-hackers-bypass-fido-keys.html