Scammers Find a Way to Bypass FIDO Multi-Factor Authentication

The operators behind the PoisonSeed phishing campaign have uncovered a way to bypass FIDO2 authentication—specifically, FIDO2 with WebAuthn—by abusing the cross-device authentication feature built into the protocol. Rather than exploiting a technical vulnerability, attackers trick victims into voluntarily approving malicious login attempts originating from spoofed corporate portals.

What Is PoisonSeed?

PoisonSeed is a financially motivated phishing operation known for targeting corporate users. Previous attacks have involved compromising business email accounts to distribute fake cryptocurrency wallet seed phrases. In its latest evolution, observed by security firm Expel, the group leverages a novel social engineering tactic that sidesteps FIDO’s core strength: phishing resistance.

Abusing Cross-Device Authentication

WebAuthn is designed to allow authentication across devices—letting users confirm logins initiated on one device using a security key or authenticator on another. Instead of requiring a direct USB connection, the login approval can be completed via Bluetooth, QR code, or cloud-assisted pairing.

This is where attackers strike.

How the Attack Works

1. The victim is directed to a spoofed login portal impersonating a service like Okta or Microsoft 365.
2. After entering their credentials, the phishing backend immediately attempts to log in to the real portal using those credentials.
3. The legitimate site, expecting WebAuthn, generates a QR code for cross-device login.
4. The phishing portal displays the QR code to the victim, who scans it with their smartphone or authenticator app.
5. By scanning the QR code, the victim unknowingly approves the attacker’s login attempt, completing the multi-factor authentication step on their behalf.

No exploit is needed—just a clever manipulation of user behavior and trusted protocols.

“This isn’t a flaw in FIDO,” researchers at Expel explain. “It’s a creative abuse of a legitimate feature to downgrade the authentication process via social engineering.”

Second Tactic: Attacker Registers Their Own FIDO Key

Expel’s report also details a separate incident in which an attacker—after successfully compromising a corporate account—registered their own FIDO key. This allowed them to log in freely without additional phishing or QR code manipulation. Once a rogue key is linked to an account, the attacker effectively owns the second factor.

How to Defend Against These Attacks

While the underlying protocols remain secure, these techniques expose weaknesses in human workflows and implementation practices. To mitigate risks, experts recommend:

• Restrict login locations and require verification for logins from unexpected countries or regions.
• Monitor FIDO key registrations, especially from unknown device manufacturers or unusual IP addresses.
• Disable or tightly control QR-based authentication, preferring Bluetooth-based cross-device authentication when possible.
• Train employees to recognize QR-code phishing tactics and verify suspicious authentication prompts.

Key Takeaways

• FIDO is not broken, but attackers are cleverly abusing trusted features.
• Cross-device authentication via QR codes can be weaponized through phishing.
• Mitigations include geofencing, device registration monitoring, and stronger endpoint protections.

As MFA adoption grows, so does the creativity of adversaries. This latest PoisonSeed campaign is a reminder that no authentication method is foolproof if users can be tricked into helping the attacker.