Expel says its report on FIDO-related phishing attack was ‘not accurate’

Editor's Note (July 25, 2025):

Expel has released a statement saying its previous report about a potentially FIDO-weakening phishing attack was "not accurate."

"[...] at the time of the original post, Expel believed the attacker successfully completed the authentication workflow, resulting in access to protected resources. After discussing these findings with the security community, we understand that this is not accurate. The Okta logs show the password factor passing successfully, but all subsequent MFA challenges failed and the attacker is never granted access to the requested source," Expel's latest blog post states.

Expel also explained that FIDO specification requires local proximity to the authenticating device when generating a QR code for cross-device authentication, while its previous blog post suggested this authentication flow could be completed without verifying proximity.

The company added that it will conduct a review of its technical blog review process to prevent further errors and thanked the FIDO Alliance and other community members for bringing the inaccuracies to their attention.

SC Media previously published a report on July 17, 2025, shown below, based on Expel's original report. SC Media's report was also updated on July 18, 2025, after Expel edited its blog to describe the reported attack as a FIDO downgrade rather than a FIDO bypass.

Original report (published July 17, 2025, updated July 18, 2025):

A phishing attack weakening FIDO key protection was reported by Expel on Thursday.

The attack abuses QR codes generated for cross-device sign-in to enable attackers to log in to victims’ accounts.

Fast IDentity Online (FIDO) cryptographic private keys are bound to physical devices, providing stronger multi-factor authentication (MFA) than methods like SMS or email that could potentially be remotely compromised.

Cross-device authentication using FIDO allows a user with one device holding a private key to log into another device that does not hold the key. This is meant to provide convenience in scenarios such as logging in to a public computer or new device that is not yet enrolled with FIDO.

Typically, a mobile device with a camera like a phone or tablet is used to scan a QR code on the second device during login, verifying that the user has possession of the FIDO key-holding device.

In the attack observed by Expel, the attacker set up a spoofed Okta login page that automatically relayed the entered credentials into the legitimate Okta portal, in a man-in-the-middle (MitM) style attack. This phishing page, hosted at the typosquatted domain okta[.]login-request[.]com, was sent to the victim in an email.

To weaken FIDO, the attacker requested cross-device authentication at the next login stage on the legitimate portal, causing Okta to generate a QR code that was automatically relayed back to the victim on the spoofed page.

The victim scanned the QR code using their authenticator app, unwittingly providing the attacker access to their account. Expel reported that, although the attacker successfully logged in, no further malicious activity was observed in this case.

"The research from Expel does not demonstrate a flaw in the design of passkeys, and is not a bypass of FIDO security keys. It outlines an attack method where any chosen delegated backup authentication method that is inherently phishable – such as an authenticator app leveraging QR codes – could be intercepted," a Yubico spokesperson told SC Media in an email.

Expel suspects the attack is connected to the PoisonSeed campaign; a cluster of phishing attacks that has leveraged compromised accounts to target cryptocurrency wallets since at least April 2025.

How to better secure FIDO logins

MitM attacks abusing cross-device sign-in can be prevented by requiring Bluetooth connection to use this feature. Requiring the user’s FIDO key-holding device to communicate with the secondary device via Bluetooth verifies physical proximity between the devices, preventing remote phishing attacks.

Organizations should also monitor authentication logs for unusual cross-device sign-in requests, such as those coming from unexpected locations; placing geographic limitations on logins and establishing a registration process for employees who are traveling could further limit such attacks, Expel noted.

In a separate attack, Expel found that an attacker who successfully phished credentials from a victim enrolled their own FIDO key with the compromised account, preventing the victim from regaining access.

Therefore, organizations should also look out for unexpected FIDO registrations, especially those from unexpected locations, for users who are already enrolled, or using key brands other than those used by the organization.

Organizations who suspect an account has been compromised should terminate active sessions as soon as possible to limit attackers’ access and prevent full account takeover. Users of FIDO keys should be aware of phishing attacks abusing cross-device sign-in and be wary of unexpected requests to scan QR codes.  

"Yubico recommends careful consideration of all authentication flows in any identity ecosystem including using phishing-resistant authentication at all steps in an account lifecycle – such as recovery flows discussed in the blog, given they are a common attack vector. This also highlights the need for applications to offer the ability to disable other phishable MFA options, and require FIDO security keys or FIDO-based authentication only," a Yubico spokesperson said.

Editor's Note (July 18, 2025): A previous version of this article stated the attack described by Expel allowed attackers to bypass FIDO keys. Expel has since clarified in their blog post that this attack downgrades FIDO protection rather than bypassing it, and this article has been updated to reflect this change and add comments from a Yubico spokesperson.