Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to bypass Fast IDentity Online (FIDO) key protections by deceiving users into approving authentication requests from spoofed company login portals.
FIDO keys are hardware- or software-based authenticators designed to eliminate phishing by binding logins to specific domains using public-private key cryptography. In this case, attackers exploit a legitimate feature—cross-device sign-in—to trick victims into unknowingly authenticating malicious sessions.
The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed, which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.
“The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet said. “However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.”
This technique doesn’t work in all scenarios. It specifically targets users authenticating via cross-device flows that don’t enforce strict proximity checks—such as Bluetooth or local device attestation. If a user’s environment mandates hardware security keys plugged directly into the login device, or uses platform-bound authenticators (like Face ID tied to the browser context), the attack chain breaks.
Cross-device sign-in allows users to sign-in on a device that does not have a passkey using a second device that does hold the cryptographic key, such as a mobile phone.
The attack chain documented by Expel commences with a phishing email that lures recipients to log into a fake sign-in page mimicking the enterprise’s Okta portal. Once the victims enter their credentials, the sign-in information is stealthily relayed by the bogus site to the real login page.
The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that’s subsequently sent back to the phishing site and presented to the victim.
Should the user scan the QR code with the authenticator app on their mobile device, it allows the attackers to gain unauthorized access to the victim’s account.
“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in,” Expel said.
“The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.”
What makes the attack noteworthy is that it bypasses protections offered by FIDO keys and enables threat actors to obtain access to users’ accounts. The compromise method does not exploit any flaw in the FIDO implementation. Rather, it abuses a legitimate feature to downgrade the authentication process.
While FIDO2 is designed to resist phishing, its cross-device login flow—known as hybrid transport—can be misused if proximity verification like Bluetooth is not enforced. In this flow, users can log in on a desktop by scanning a QR code with a mobile device that holds their passkey.
However, attackers can intercept and relay that QR code in real time via a phishing site, tricking users into approving the authentication on a spoofed domain. This turns a secure feature into a phishing loophole—not due to a protocol flaw, but due to its flexible implementation.
Expel also said it observed a separate incident where a threat actor enrolled their own FIDO key after compromising an account through a phishing email and resetting the user’s password.
To better protect user accounts, organizations should pair FIDO2 authentication with checks that verify the device being used. When possible, logins should happen on the same device holding the passkey, which limits phishing risk. Security teams should watch for unusual QR code logins or new passkey enrollments. Account recovery options should use phishing-resistant methods, and login screens—especially for cross-device sign-ins—should show helpful details like location, device type, or clear warnings to help users spot suspicious activity.
If anything, the findings underscore the need for adopting phishing-resistant authentication at all steps in an account lifecycle, including during recovery phases, as using an authentication method that’s susceptible to phishing can undermine the entire identity infrastructure.
“AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts,” the researchers added.
