Cybersecurity researchers have exposed a deceptive phishing method that exploits a weakness in FIDO authentication by leveraging its cross-device sign-in feature. FIDO keys use public and private key encryption to bind logins to trusted domains, typically preventing phishing. However, attackers from a group known as PoisonSeed are exploiting this system to bypass its protections without attacking the protocol itself.
The campaign starts with phishing emails that direct users to fake login portals resembling enterprise platforms like Okta. Once victims enter their credentials, the malicious site forwards them to the legitimate sign-in service and requests a QR code for authentication using cross-device login. That QR code is then displayed back to the victim on the spoofed page. If scanned using a mobile authenticator app, access is silently granted to the attacker.
This technique works only when proximity checks are not enforced. Scenarios relying on Bluetooth validation or platform-specific authenticators like biometric systems bound to the browser are immune. But when users authenticate across separate devices without strict validation, attackers can hijack sessions in real time.
Researchers observed that PoisonSeed actors utilized unauthorized access to client engagement systems and large-scale email platforms to push deceptive communications embedded with recovery phrases for digital wallets, enabling the exfiltration of crypto holdings. In certain intrusions, the threat group secured persistence by registering new FIDO authenticators after gaining control of user accounts and initiating password resets.
To counter this tactic, security protocols should prioritize enforcing proximity checks during authentication, preferably requiring the same device to handle both login and passkey storage. Defensive teams must stay alert to irregular QR code-based access attempts and any unfamiliar authenticator enrollments. Adding contextual indicators, such as device origin or geolocation, to login prompts can further help users detect suspicious behavior.
The findings stress the need for phishing-resistant methods at every stage of authentication and account recovery. Without context-aware enforcement, even secure login protocols like FIDO2 can be vulnerable to exploitation through social engineering.
