Activate phishing-resistant MFA

Thwart phishers with security keys and Zero Trust
  • Targeted account takeover and supply chain attacks are some of the most dangerous threat vectors
  • Acquire, activate, and authenticate every access request with FIDO-compliant security keys, like YubiKeys
Multifactor authentication

Not all authentication methods are equal

One-time passcodes

While MFA via text message, email, or mobile apps is more secure than single-factor authentication, codes (e.g., TOTP) can be intercepted by attackers.

Security keys

FIDO2-compliant keys (e.g., YubiKeys), once issued, cannot be intercepted by an attacker and are nearly impossible to steal without physical access.

Security keys with Zero Trust

Identity providers often support keys but may not allow admins to truly require them. Cloudflare simplifies enforcing MFA methods for any app.


Case study

Cloudflare stopped an SMS phishing attack

More than 130 companies have recently been targeted in a series of similar account takeover attacks through social engineering. Our strong authentication, as part of our larger Zero Trust strategy, caused the threat actor to fail.

How we stopped it with security keys

Cloudflare’s security team received reports of (1) employees receiving legitimate-looking text messages pointing to what appeared to be (2) Cloudflare’s Okta login page. While the threat actor attempted to log in with compromised credentials (3-4), they could not get past the security key requirement that Cloudflare Zero Trust activated.

While security keys are not a silver bullet against all attacks, they strengthen the barrier and work in conjunction with additional Zero Trust security measures such as DNS filtering, browser isolation, cloud email security, and more.

Read the case study

Yubico Partnership Offer

Acquire, activate, and authenticate with YubiKeys

Cloudflare customers will be able to access an exclusive offer to purchase security keys from Yubico, the leading provider of hardware authentication security keys, at “Good for the Internet” pricing – as low as $10 per key – through their Cloudflare dashboard.

Eligible customers must have an active zone or actively use Cloudflare Zero Trust. You may not claim this offer multiple times from the same email and this offer may be restricted to one email per account. Cloudflare may modify, limit, or discontinue this promotion at any time. Offer is subject to Yubico’s terms.

Log in or sign up to learn more

Selectively enforce strong authentication

Don't just support it. Require it.
  • Identity providers may support strong authentication but may not allow you to truly require it
  • Ensure FIDO2 authentication is required, especially for apps housing sensitive data, and enforce per user, app, geography, or group
Read the solution brief

Roll out strong authentication everywhere

ZTNA makes it easy
  • Broad MFA support exists for cloud services, but this can be more difficult with legacy or non-web apps
  • ZTNA acts as an aggregation layer around all your SaaS, self-hosted, and non-web resources, which makes strong authentication easier to enforce across all of them
Read the solution brief

End phishing attacks once and for all