FIDO2 Bypass Uncovered: Hackers Exploit Cross-Device Authentication with QR Code Phishing
Cybercriminals affiliated with the group PoisonSeed have devised a method to circumvent FIDO2 protection—not by breaching the technology itself, but by cleverly exploiting one of its legitimate features: cross-device authentication. Through this technique, attackers trick victims into approving access themselves, under the false impression that they are logging into a corporate system.
As revealed by the cybersecurity firm Expel, the phishing campaign involves attackers crafting counterfeit login pages that mimic corporate portals such as Microsoft 365 or Okta. When a user enters their credentials, the adversary’s system simultaneously uses them to authenticate in real time on the legitimate site. The next step in the process should be a FIDO2 key-based confirmation—but instead, the attackers pivot to the cross-device login feature.
This functionality enables users to authorize access on one device using another—typically a smartphone—without needing to physically insert a key. The request is transmitted via Bluetooth or presented as a QR code. It is precisely this QR code that becomes the vector of exploitation. The spoofed portal displays a legitimate code generated by the actual service, which the unsuspecting victim scans with their phone, thereby unknowingly approving the attacker’s access attempt.
In effect, the protection offered by the physical key is nullified. While the FIDO2 system itself remains uncompromised, its architectural flexibility inadvertently allows this legitimate feature to be repurposed as a vector for abuse.
Experts recommend restricting login attempts to specific geographic regions, closely monitoring the registration of new keys, and, wherever possible, enforcing Bluetooth-based authentication for cross-device logins—measures that significantly reduce the likelihood of a successful breach. In one documented instance, an attacker even managed to register their own FIDO key following a password reset, gaining unfettered access without any further involvement from the victim.
This incident serves as a sobering reminder that even the most advanced security technologies can be bypassed—not through technical exploits, but via psychological manipulation and precise anticipation of user behavior. As cybersecurity professionals emphasize, multi-factor authentication is essential—but no longer sufficient—to safeguard against the sophisticated threats of today.
