Phishing-resistant multi-factor authentication (MFA) methods, particularly those using FIDO2/WebAuthn, are designed to secure high-value credentials. However, IOActive researcher Carlos Gomez has identified a significant vulnerability that bypasses these protections by manipulating the authentication process itself, rather than breaking cryptography. The research highlights two key innovations: using Cloudflare Workers as an invisible proxy and employing an Authentication Downgrade Attack that forces users to revert to less secure authentication methods like push notifications or one-time passwords, even if they have stronger FIDO2 keys registered. The attack involves a transparent reverse proxy that intercepts and modifies server responses in real time. It operates in four phases, starting with the victim accessing what seems to be a legitimate Microsoft login page. The Cloudflare Worker modifies the incoming request and the outgoing response to inject malicious payloads that alter authentication methods displayed to the user. This manipulation allows attackers to downgrade secure authentication options to phishable alternatives while maintaining the appearance of legitimacy for both the user and the identity provider. The use of Cloudflare Workers provides several advantages for attackers. They can blend in with legitimate traffic, avoid traditional detection methods, and operate without significant costs. The research underscores a shift in phishing tactics, with adversaries moving from identifiable infrastructure to serverless platforms that leave minimal forensic traces. This technique has already been adopted by groups like 0ktapus and Scattered Spider, further demonstrating its effectiveness against standard MFA configurations.