Brian Clark@deepthoughts10@infosec.exchange
Because FIDO-based authentication (Passkeys, YubiKeys, etc.) is so good the only way around it is to trick someone into not using it. That's essentially what a downgrade attack is. As a Microsoft #EntraID administrator you can prevent successful downgrade attack from affecting your users. Here's a few ways to mitigate the risk of downgrade attacks:
1) Have your users delete all MFA methods except for FIDO-based methods. That way there's no less secure method to downgrade to. Need redundancy? Register both a Passkey and a YubiKey.
2) Create Conditional Access policies requiring FIDO / Phishing-resistant MFA methods to access your important applications. Even if a user is successfully phished, the auth cookie they receive will not have the Phishing-resistant attribute, so it won't be able to be used to authenticate against apps that have these policies.
3) Create Conditional Access policies for important applications to require access from a managed device -- such as a EntraID-joined, Hybrid Joined or Intune-managed device. Similar to #2, if an auth cookie is stolen, it won't work from an attacker's system as that system won't be a managed device.
#cybersecurity
From: @threatinsight@infosec.exchange
https://infosec.exchange/@threatinsight/115017333270048604
Brian Clark@deepthoughts10@infosec.exchange
@threatinsight@infosec.exchange
@BleepingComputer@infosec.exchange has a write-up on this too.
https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/