This article discusses the progression of FIDO authentication methods on Android, highlighting the shift from traditional passwords to passkeys. It outlines the challenges of password security and details how new technologies like U2F and passkeys enhance user authentication experiences.

A new downgrade attack against Microsoft Entra ID has been developed, which tricks users into using weaker authentication methods, making them vulnerable to phishing and session hijacking. By spoofing a browser that lacks FIDO support, attackers can bypass FIDO authentication and intercept user credentials and session cookies. Although no real-world attacks using this method have been reported yet, the risk remains significant, particularly in targeted scenarios.