While MFA via text message, email, or mobile apps is more secure than single-factor authentication, codes (e.g., TOTP) can be intercepted by attackers.
FIDO2-compliant keys (e.g., YubiKeys), once issued, cannot be intercepted by an attacker and are nearly impossible to steal without physical access.
Identity providers often support keys but may not allow admins to truly require them. Cloudflare simplifies enforcing MFA methods for any app.
More than 130 companies have recently been targeted in a series of similar account takeover attacks through social engineering. Our strong authentication, as part of our larger Zero Trust strategy, caused the threat actor to fail.
Cloudflare’s security team received reports of (1) employees receiving legitimate-looking text messages pointing to what appeared to be (2) Cloudflare’s Okta login page. While the threat actor attempted to log in with compromised credentials (3-4), they could not get past the security key requirement that Cloudflare Zero Trust activated.
While security keys are not a silver bullet against all attacks, they strengthen the barrier and work in conjunction with additional Zero Trust security measures such as DNS filtering, browser isolation, cloud email security, and more.
Cloudflare customers will be able to access an exclusive offer to purchase security keys from Yubico, the leading provider of hardware authentication security keys, at “Good for the Internet” pricing – as low as $10 per key – through their Cloudflare dashboard.
Eligible customers must have an active zone or actively use Cloudflare Zero Trust. You may not claim this offer multiple times from the same email and this offer may be restricted to one email per account. Cloudflare may modify, limit, or discontinue this promotion at any time. Offer is subject to Yubico’s terms.