New Entra ID Attack Bypasses FIDO MFA: How to Protect Your Organization
Even the most robust security measures can face new and unexpected challenges. Security researchers have recently identified a sophisticated vulnerability within Microsoft Entra ID (formerly Azure Active Directory) that allows attackers to bypass phishing-resistant multi-factor authentication (MFA), including FIDO2 security keys.
This new method, known as a downgrade attack, poses a significant risk to organizations that rely on Entra ID and FIDO for their highest level of security. Understanding how this attack works and what steps to take is critical for protecting your digital assets and user accounts from compromise.
How the Entra ID Downgrade Attack Works
FIDO2 security keys are widely considered the gold standard for MFA because they are designed to be resistant to phishing. Unlike one-time codes, a FIDO key requires physical interaction and cryptographically verifies that the user is on the legitimate website, not a phishing page. However, this new attack cleverly sidesteps the FIDO challenge altogether.
The attack unfolds by exploiting the way Entra ID handles different MFA options. Here’s a simplified breakdown:
- Initial Deception: A threat actor with stolen user credentials (like a username and password) initiates a login attempt.
- Intercept and Manipulate: During the authentication process, the attacker intercepts the communication between the user’s browser and Entra ID. They manipulate the traffic to falsely report that the user’s browser or device does not support FIDO/WebAuthn.
- The “Downgrade”: Upon receiving this false information, Entra ID believes it cannot offer the FIDO prompt. Instead, it “downgrades” the authentication challenge to the next available, less secure MFA method enabled for that user.
- Phishing the Weaker Link: This downgraded method is often an authenticator app push notification, an SMS code, or a voice call—all of which are vulnerable to traditional phishing tactics. The attacker can then trick the user into approving the push notification or handing over the code, granting the attacker full access to the account.
The core of the issue is that the system is tricked into offering a weaker security option, completely bypassing the phishing-resistant FIDO key that was intended to protect the account.
Why This Is a Serious Threat
This vulnerability is particularly dangerous because it undermines the very foundation of phishing-resistant security strategies. Organizations invest heavily in FIDO2 hardware keys and advanced MFA solutions specifically to eliminate the risk of credential phishing.
This attack demonstrates that simply having FIDO enabled is not enough. If weaker MFA methods are available as a fallback, they can become the weakest link that a determined attacker will exploit. This can lead directly to unauthorized access, data breaches, and complete account takeovers.
Are You at Risk?
Your organization may be vulnerable to this downgrade attack if you meet the following conditions:
- You use Microsoft Entra ID as your identity provider.
- You have FIDO2 security keys enabled for your users.
- You also have weaker, phishable MFA methods (such as SMS, voice, or standard authenticator app notifications) configured as alternative options for the same users.
If your configuration allows a user to choose between FIDO and a less secure method, you are susceptible to this attack vector.
Actionable Steps to Mitigate the FIDO Downgrade Attack
Protecting your organization requires a proactive approach focused on enforcing your strongest authentication methods. Simply having them available is not sufficient; you must mandate their use.
Here are the critical steps you should take immediately:
Enforce Phishing-Resistant MFA with Conditional Access Policies: The most effective defense is to use Entra ID’s Conditional Access Policies (CAPs). Configure your policies to require phishing-resistant authentication strength for critical applications and sensitive user roles. This setting explicitly forces the use of FIDO2, Windows Hello for Business, or certificate-based authentication, preventing Entra ID from downgrading to a weaker method.
Review and Phase Out Weaker MFA Methods: Conduct a thorough audit of the authentication methods enabled in your tenant. Develop a plan to phase out SMS and voice-based MFA entirely, as they are the least secure options. While authenticator apps are better, prioritize the adoption of truly phishing-resistant methods across your organization.
Segment Policies for Different User Groups: You may not be able to deploy FIDO to every user overnight. Use granular Conditional Access Policies to enforce the strictest authentication requirements for your most privileged users first, such as administrators, executives, and developers.
Monitor Entra ID Sign-in Logs: Keep a close eye on your sign-in logs for suspicious activity. Look for patterns like multiple failed MFA attempts followed by a successful login from an unfamiliar location or device. Unusual MFA challenges could be an indicator of an attempted downgrade attack.
Staying ahead of evolving cyber threats requires constant vigilance and a commitment to implementing security best practices. By hardening your Conditional Access Policies and prioritizing truly phishing-resistant MFA, you can close this critical security gap and ensure your organization remains secure.
Source: https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/
