Phishing-Resistant Authentication: How Hackers Still Bypass It

Phishing-resistant authentication methods like passkeys are transforming digital security, yet cybercriminals continue finding creative ways to bypass even the most advanced protections. While traditional multi-factor authentication (MFA) solutions such as SMS codes and one-time passwords remain vulnerable to interception, newer FIDO2-based systems like YubiKeys and Windows Hello offer stronger safeguards by binding credentials to specific domains. However, attackers are adapting with sophisticated techniques to undermine these defenses.

One prevalent method involves downgrade attacks, where phishing kits manipulate authentication prompts to steer users toward weaker backup methods. For example, a legitimate app might offer passkey or authenticator code options, but a malicious site could remove the passkey choice entirely, forcing victims to use less secure alternatives. This tactic exploits the reality that many accounts retain fallback authentication pathways, leaving them exposed despite having phishing-resistant options enabled.

Another emerging threat is device code phishing, which targets systems with limited input capabilities. Attackers trick users into entering codes on fraudulent pages, granting unauthorized access without triggering standard security checks. This approach has been notably used in campaigns against Microsoft 365 accounts, demonstrating its effectiveness against enterprise environments.

Consent phishing remains a persistent danger, particularly with the rise of OAuth-based integrations. By duping users into approving malicious third-party apps, attackers gain persistent access that bypasses MFA entirely. Recent incidents involving GitHub highlight how easily compromised OAuth permissions can lead to repository tampering, data theft, and supply chain attacks.

Even verification controls aren’t immune. Verification phishing exploits email-based confirmation steps, often by impersonating trusted entities to harvest codes or manipulate cross-identity provider (IdP) logins. Shockingly, many applications permit SSO logins via newly registered IdPs without additional scrutiny, creating gaps for exploitation.

Legacy vulnerabilities also persist through app-specific passwords (ASPs), which attackers extract via social engineering. These passwords, designed for older software, provide long-term API access without MFA checks, making them ideal for stealthy, prolonged breaches. A high-profile case involved a Russian disinformation expert whose Google mailbox was compromised using a forged U.S. State Department request for an ASP.

Perhaps the simplest workaround? Targeting apps that don’t support passkeys at all. Popular platforms like Slack and GitHub often rely on SSO or weaker local logins, creating weak links in an organization’s security chain. Without uniform MFA enforcement, these apps become low-hanging fruit for credential-stuffing attacks, as seen in recent breaches affecting Snowflake and Jira.

The harsh truth is that phishing-resistant MFA alone isn’t enough. Organizations must eliminate backup authentication methods, enforce strict conditional access policies, and continuously monitor for identity sprawl across hundreds of interconnected apps. Solutions like browser-based security platforms can help detect and block real-time attacks, but proactive vulnerability management remains critical.

As attackers refine their tactics, the battle for account security hinges on closing every potential loophole, not just deploying the latest technology. Without comprehensive oversight, even the strongest authentication methods can be undermined by overlooked weaknesses in the broader identity landscape.

(Source: Bleeping Computer)