MFA downgrade attacks: are your backup login methods the gap?

TL;DR: Attackers are increasingly bypassing phishing-resistant authentication by downgrading users to backup MFA methods inside attacker-in-the-middle phishing flows, according to Push Security. Passwordless helps, but it does not remove the governance problem created by multiple active login paths and inconsistent app-level controls.

NHIMG editorial — based on content published by Push Security: MFA downgrade and auth downgrade techniques used to bypass phishing-resistant authentication

Questions worth separating out

Q: How should security teams prevent MFA downgrade attacks in mixed authentication estates?

A: Start by identifying every allowed sign-in method per application and per user class.

Q: Why do passkeys still leave organisations exposed to phishing attacks?

A: Passkeys reduce phishing risk only when they are the sole usable method.

Q: What do security teams get wrong about conditional access and authentication strength?

A: They often assume an IdP policy protects every app equally.

Practitioner guidance

• Inventory every active authentication path List passwords, passkeys, OTP, push, backup codes, and any SSO fallback for each high-risk account.
• Enforce strongest-method priority at the IdP Configure identity providers to require the phishing-resistant method where supported, and block weaker alternatives for privileged users and sensitive applications.
• Measure app-by-app conditional access coverage Audit which business applications actually inherit device, location, and authentication-strength policies from the IdP.

What's in the full article

Push Security's full research covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how downgrade attacks alter the authentication flow inside attacker-in-the-middle phishing kits.
• Browser-based detection and response approaches for blocking AiTM techniques before session capture completes.
• Practical guidance on identifying backup MFA and login methods across business applications.
• Examples of app-level configuration gaps that allow the strongest login method to be bypassed.

👉 Read Push Security's analysis of MFA downgrade attacks and passkey bypass →

MFA downgrade attacks: are your backup login methods the gap?

Explore further

View Full Forum →  |  NHI Foundation Course →