TL;DR:

A phishing campaign called PoisonSeed is targeting users of FIDO2 multi-factor authentication—not by breaking it, but by downgrading it. Attackers present fake login pages that don’t support FIDO2, tricking users into using fallback methods like one-time passcodes, which can be intercepted. FIDO2 remains secure, but the attack highlights the need to disable legacy authentication paths and ensure FIDO is enforced end-to-end.

Transcript

A report released by Expel, a cybersecurity company, has uncovered a sophisticated phishing campaign targeting users of FIDO2 multi-factor authentication. Instead of directly attacking the FIDO keys—which are built to resist phishing—a threat actor known as “PoisonSeed” has been credited with tricking users into authenticating with legacy methods, such as one-time passcodes, by directing them to fake login pages that don’t support FIDO.

Before we continue with the story, let’s clarify what FIDO2 is.

If you’re unfamiliar, FIDO2 is considered the gold standard in phishing-resistant authentication. It replaces passwords with cryptographic keys stored on hardware devices—like security keys or trusted platform modules—that are bound to a specific website. This means that even if a user is tricked into clicking a phishing link, the key won’t authenticate unless it matches the correct domain. That’s why this news is so surprising: FIDO2 was designed to stop exactly this kind of attack.

The trick?

Attackers make the user believe they’re going through a secure login process, but behind the scenes, the FIDO authentication path has been stripped out and replaced with legacy methods that can be intercepted. Once the user enters a time-based code or password, attackers capture that data in real time and use it to log into legitimate services—effectively defeating the spirit, though not the architecture, of FIDO.

So, what’s the big takeaway?

First: FIDO itself hasn’t been cracked. But trust chains are being manipulated. This means enterprise security teams can’t afford to rely solely on FIDO deployment—they must ensure it’s enforced end-to-end. That includes disabling fallback methods like SMS or TOTP wherever possible.

Second: PoisonSeed exposes a common blind spot—user experience mismatches. If a user sees a login flow that doesn’t support FIDO, do they know what to do? Do they even notice?

Global implications? Absolutely. While the campaign has targeted users in multiple regions, the lesson for Australian organisations is urgent: if you’re rolling out phishing-resistant MFA, you must also lock down legacy options and educate users on what “secure” should look like.

One final point: Password managers—especially those with phishing detection—can help mitigate these attacks by identifying mismatched URLs and injecting credentials only on verified sites. They’re not a silver bullet, but they’re a layer of defence worth enabling.

Thanks for listening. This podcast was produced by a human and narrated by me, an AI. If you found it useful, follow and share. Full links and resources at Coffeehouse.studio or in the show notes.