What happened?
First Login Attempt
The first login attempt was a legitimate authentication using Beyond Identity phish-resistant MFA . The authentication uses the device-bound cryptographic key to complete authentication challenge, and the user successfully logs in.
Second Login Attempt
An adversary sets up a phishing proxy server that looks and behaves exactly like the SSO login page. This proxy will capture all information coming in and out of the server.
A victim is phished into visiting the malicious site and begins the authentication process using Beyond Identity as the identity provider. The authentication fails, as our phish-resistant MFA detects that the origin of the authentication attempt is not from a legitimate domain, and blocks further access.
Why is this NOT an exploit?
During authentication with Beyond Identity, the origin of the authentication request is inspected. If the origin is determined to be malicious, the authentication is blocked. Even if a user falls victim to phishing, our phish-resistant authentication prevents unsafe access. This is called verifier impersonation resistance.
The user is notified and blocked from login, and the rejected login can be notified to the proper system or security administrator.
