Windows Entra IDs can be bypassed worryingly easily – here’s what we know

Experts warn FIDO is not supported on certain clients when accessing Entra ID
This triggers a fallback login mechanism that can be picked up
Mitigations should be put in place, researchers say

FIDO-based authenticator apps are considered one of the strongest practical defenses against phishing and credential theft, but judging by Proofpoint’s latest research, it is not without its weaknesses.

The company’s researchers say they have found a way to force a target to abandon FIDO-based authentication for a weaker login method which can be picked up in transit.

That way, despite being protected by industry-standard defenses, victims can still end up losing access to key accounts.

Missing security features

The “weakness” in this scenario is that not all browsers support FIDO. Safari on Windows, for example, is not compatible with FIDO-based authentication in Microsoft Entra ID, and when a user with such a setup tries logging in, they are offered an alternative – an SMS-delivered one-time password, email, or an OAuth consent prompt.

All of these can then be picked up via an Adversary-in-the-Middle attack (AitM), relayed to the attackers, and used to log into the account.

“This seemingly insignificant gap in functionality can be leveraged by attackers,” Proofpoint said in its report.

“A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing security measure.”

So far, Proofpoint says there is no evidence that this method is being abused in the wild, and speculates that threat actors still rather target accounts without multi-factor authentication (MFA) in the first place.

However, as more and more businesses deploy this anti-phishing technique, working around FIDO-based authentication might catch on.

To minimize the risk, businesses should turn off alternative authentication methods for key accounts, or at least turning on additional checks when an alternative is triggered.