This article discusses the progression of FIDO authentication methods on Android, highlighting the shift from traditional passwords to passkeys. It outlines the challenges of password security and details how new technologies like U2F and passkeys enhance user authentication experiences.

A novel Device Code phishing technique automates the authentication process, allowing attackers to bypass FIDO's phishing resistance by redirecting victims to a legitimate authentication page without needing them to manually enter codes. Despite Microsoft's fixes for normal Entra tenants, vulnerabilities remain for federated tenants. The article emphasizes the dangers of this attack model, which can exploit users’ trust in established authentication methods.

A new downgrade attack against Microsoft Entra ID has been developed, which tricks users into using weaker authentication methods, making them vulnerable to phishing and session hijacking. By spoofing a browser that lacks FIDO support, attackers can bypass FIDO authentication and intercept user credentials and session cookies. Although no real-world attacks using this method have been reported yet, the risk remains significant, particularly in targeted scenarios.