"All subsequent MFA challenges failed" it claimed.
Expel has retracted parts of its previous report on a potential phishing attack that allegedly weakened FIDO authentication, admitting key details were inaccurate.
In a new statement, the company clarified that contrary to initial claims, the attacker never successfully completed the authentication process or accessed protected resources. “The Okta logs show the password factor passing successfully, but all subsequent MFA challenges failed,” Expel said in its updated blog post.
Reported by SC US, the initial report had suggested that attackers could abuse QR codes for cross-device FIDO authentication without verifying proximity to the authenticating device. However, Expel now acknowledges that the FIDO specification requires proximity to be enforced and that its original explanation misrepresented this aspect.
The blog post also emphasised that no bypass of FIDO security keys had occurred, and credited the security community - including the FIDO Alliance - for helping identify the inaccuracies.
Expel attributed the misreporting to internal review shortcomings and pledged to strengthen its technical blog review process. Despite the retraction, the incident underscores growing concerns around cross-device authentication and the potential for phishing attacks to exploit weak points in MFA implementations.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
