Do Son 
The WebAuthn authentication process
Despite the widespread adoption of multi-factor authentication (MFA), cybercriminals have developed increasingly sophisticated techniques to circumvent it. Among the most effective is the Adversary-in-the-Middle (AiTM) attack, which leverages reverse proxy servers to intercept not only login credentials but also session cookies—granting attackers full access to protected accounts, even when MFA is enabled.
The popularity of this method stems from its accessibility: Phishing-as-a-Service (PhaaS) kits such as Tycoon 2FA, Evilproxy, and Rockstar 2FA enable even non-experts to launch such campaigns. These toolkits are regularly updated by their developers with new features designed to bypass security mechanisms, obscure traffic patterns, and harvest additional user data. For instance, some tools restrict access to phishing pages via precise URLs, apply IP and User-Agent filtering, embed dynamically obfuscated JavaScript, and delay link activation to evade email security filters.
Phishing proxies operate in a deceptively simple manner: the user clicks on a malicious link, enters their login credentials, and completes the MFA process—all through the legitimate site, but relayed via the attacker’s proxy. Upon successful authentication, the site issues a session cookie, which is then intercepted by the attacker, granting them full control of the account. Some adversaries go further, immediately registering their own MFA device to the victim’s profile to maintain persistent access beyond the current session.
One standout tool in this domain is Evilginx—originally developed for penetration testing—which has become the de facto standard for AiTM attacks. Its open-source nature, flexibility, and ease of use have contributed to its widespread adoption. However, defenders can detect such attacks by monitoring telltale indicators: newly registered domains, URLs with 8-character paths, suspicious Let’s Encrypt certificates, and inconsistencies in IP addresses and User-Agent strings associated with the same session cookie.
Countering MFA bypasses is becoming increasingly difficult, especially for organizations that rely on outdated verification methods, such as SMS-based one-time codes. Consequently, more security professionals are turning their attention to WebAuthn—a passwordless authentication standard developed by the FIDO Alliance and the W3C.
WebAuthn relies on a pair of cryptographic keys: the private key remains securely stored on the user’s device, while the public key resides on the server. When logging in, the server issues a challenge, which the device signs and returns. The server then verifies the signature against the public key—eliminating the need for passwords, and rendering credential interception impossible.
The key advantage of WebAuthn lies in its domain-binding capability. Even if a user is tricked into visiting a phishing site, the authentication process will fail, as the domain will not match the legitimate one. This effectively neutralizes AiTM attacks and prevents the reuse of credentials across different platforms.
Nonetheless, despite its clear benefits, WebAuthn has yet to gain widespread traction across the industry. According to data from Cisco Duo, adoption remains limited, with only a small fraction of users enabling it in the past six months. This inertia may stem from organizations already invested in legacy MFA systems. However, given the growing prevalence of reverse proxy attacks, rethinking authentication strategies is no longer optional—it is imperative.
