Effective authentication practices are a cornerstone of any well-developed cybersecurity program. While it is always important to choose strong, unique passwords for every account, it is also important to enable multifactor authentication (MFA) such as biometric scans, additional security questions, or verification via mobile devices whenever possible.
Fast IDentity Online (FIDO) authentication is considered the current standard for passwordless verification. It leverages private keys stored on users’ personal devices. Users often verify their identities via mobile phones using methods such as voice recognition, facial scans, fingerprints, or applications that generate one-time PIN codes. While this approach is significantly more robust than traditional username-and-password security, it is still susceptible to attack. In particular, cybercriminals have increasingly targeted FIDO with a combined social engineering and downgrade attack that has proven especially damaging.
This blog shares insights from a Q&A session with Sarah Cecchetti, Director of Product Strategy for Beyond Identity and a contributor to NIST 800-63-C Digital Identity Guidelines. She discusses the recent attack, how to safeguard against it, and her thoughts on the future of identity and access management (IAM).
Q: This past summer, there was a lot of buzz about a downgrade attack and phishing kits that allowed attackers to bypass FIDO. How prevalent is this attack, and do you see it persisting?
A: This will be a persistent attack, Cecchetti said. While FIDO was created as a secure way to implement passwordless account access, there are multiple options within the FIDO ecosystem. Many organizations choose to implement versions of FIDO that prioritize speed and convenience at the expense of security. While that tradeoff may be acceptable in some cases, industries that handle particularly sensitive information must implement stricter versions of FIDO. Organizations protecting healthcare, financial, or critical infrastructure systems need to be much more careful and move toward the low-usability/high-security end of the spectrum. There are ways to have both, but you have to build a lot of infrastructure above and beyond FIDO to do that.
Q: Is FIDO increasingly vulnerable to phishing attacks? What can security teams do to mitigate the risk of malicious actors bypassing security controls?
A: FIDO’s vulnerability depends heavily on how it is deployed, Cecchetti said. When organizations allow cloud-syncable passkeys that are automatically shared across online services, they significantly expand the attack surface. This means the security of the organization becomes only as strong as each user’s personal account security. Cloud-syncable passkeys also greatly increase susceptibility to phishing attacks.
To mitigate bypassing security controls, you need to disallow syncable passkeys altogether—all passkeys should be device-bound—either to a phone, a USB security key, or a work computer.
Q: How can attackers use social engineering to circumvent MFA?
A: There are numerous social engineering strategies that scammers use to bypass multi-factor authentication (MFA). Cecchetti said she has seen folks call a help desk pretending to be an executive who is traveling and urgently needing to log in. They allegedly dropped their phone or lost their security key and asked if MFA could just be turned off for one day. Another common tactic Cecchetti has seen involves contacting the MFA recipient and claiming to be the previous owner of the phone. Scammers ask for a “quick favor” such as pressing accept or relaying a code. In yet another attack, Cecchetti said cybercriminals contact the help desk claiming they are testing a new device and ask to register it for MFA while keeping the old device active “just in case.” This can be especially damaging if unnoticed, which is why, Cecchetti said, organizations should alert users whenever new devices are registered.
Q: How is AI changing identity access management? What does the future of access control and authentication look like?
A: This is a rapidly evolving field marked by both innovation and uncertainty. According to Cecchetti, there are entirely new protocols coming out to enable new use cases. Currently, the Model Context Protocol (MCP), which uses Open Authorization (OAuth) and Dynamic Client Registration, is the most prevalent. However, concerns exist regarding compatibility and security because MCP was designed for two-way communication between client and server, while OAuth is typically used for one-way information flows. Dynamic Client Registration also poses challenges due to its difficulty scaling to mobile environments. Significant work is underway to optimize OAuth for these scenarios, including efforts involving Client ID Metadata, though this approach also has its critics.
As we wrapped our conversation, Cecchetti advised, “If it feels like things are moving quickly, it's because they are. Adoption of AI is moving seven times faster than adoption of the Internet did. Everyone reading this should congratulate themselves on continuing to educate themselves in this fast-moving environment.” In many cases, practitioners and users alike are going to start feeling overwhelmed. “My advice,” Cecchetti said, “is to touch grass. Go outside. Give your local IAM admin a hug—they are working incredibly hard on really difficult problems right now!”
Multifactor authentication is undergoing growing pains as organizations try to balance the need for strong security with user convenience. Cybercriminals continue to seek weaknesses, particularly through social engineering attacks designed to circumvent MFA and FIDO. While cybersecurity teams work to shore up these vulnerabilities and anticipate the challenges introduced by rapidly evolving AI technologies, staying informed is crucial. Visit the all-new RSAC Community Platform, which features content from top cybersecurity experts, including Sarah Cecchetti’s recent webcast, “AI + IAM: Standards and Implementations for Login and Access for AI.” The platform also offers networking opportunities with cybersecurity peers and an AI-powered assistant to help you stay up to date and one step ahead.