Downgrade Attacks: When Even Strong Authentication Can Be Tricked

FIDO-based passkeys (like hardware keys, biometrics, or “passwordless” logins) are considered one of the best ways to protect accounts from phishing and takeover threats. They’re strong because they don’t rely on passwords or codes that can be easily stolen.

But researchers at Proofpoint have found a new trick called a “downgrade attack.” Here’s how it works:

• Attackers use clever phishing tools to force you away from FIDO login and make you use a weaker method – like a code or password.
• For example, you might get an error on a login page and be asked to “try a different authentication method.”
• If you fall for it and use something less secure (like an SMS code or app prompt), the attacker can intercept your login and take over your account.
• These attacks haven’t shown up much in the real world yet. Most cybercriminals still go after users with weak or no multi-factor authentication, simply because it’s easier.

What You Should Know:

• FIDO is still a great way to secure your accounts, but no system is perfect.
• Attackers keep looking for ways around strong security, so it’s important to stay up to date.
• Solutions that completely remove shareable secrets (like passwords, codes, even helpdesk resets) are becoming the best way to lock down your accounts.

The Bottom Line:

If you’re using FIDO or passwordless authentication, you’re ahead of most attackers—but always be alert for login tricks and unusual error messages. And, whenever possible, choose options that don’t depend on anything you could accidentally share or be tricked into giving away.

In other words, opt for authentication that uses Zero Shareable Secrets.

Better authentication isn’t just about being more technical. It’s about being harder to phish!

For more information about Phish-Proof Enterprise Login, contact us any time.