Preview Mode
Documentation

Activate phishing-resistant MFA

Thwart phishers with security keys and Zero Trust
Phishing resistant MFA | Security key
  • Targeted account takeover and supply chain attacks are some of the most dangerous threat vectors
  • Acquire, activate, and authenticate every access request with FIDO-compliant security keys, like YubiKeys
Phishing resistant MFA | Security key
Multifactor authentication

Not all authentication methods are equal

One-time passcodes

While MFA via text message, email, or mobile apps is more secure than single-factor authentication, codes (e.g., TOTP) can be intercepted by attackers.

Security keys

FIDO2-compliant keys (e.g., YubiKeys), once issued, cannot be intercepted by an attacker and are nearly impossible to steal without physical access.

Security keys with Zero Trust

Identity providers often support keys but may not allow admins to truly require them. Cloudflare simplifies enforcing MFA methods for any app.

Case study

Cloudflare stopped an SMS phishing attack

Phishing resistant MFA -- Cloudflare July '22 attack case study screenshots

More than 130 companies have recently been targeted in a series of similar account takeover attacks through social engineering. Our strong authentication, as part of our larger Zero Trust strategy, caused the threat actor to fail.

Phishing resistant MFA -- Cloudflare July '22 attack case study screenshots

How we stopped it with security keys

Cloudflare July '22 phishing attack case study diagram (no background)

Cloudflare’s security team received reports of (1) employees receiving legitimate-looking text messages pointing to what appeared to be (2) Cloudflare’s Okta login page. While the threat actor attempted to log in with compromised credentials (3-4), they could not get past the security key requirement that Cloudflare Zero Trust activated.

While security keys are not a silver bullet against all attacks, they strengthen the barrier and work in conjunction with additional Zero Trust security measures such as DNS filtering, browser isolation, cloud email security, and more.

Read the case study
Cloudflare July '22 phishing attack case study diagram (no background)

Selectively enforce strong authentication

Selectively enforce strong authentication image (toggle 1)
Don't just support it. Require it.
  • Identity providers may support strong authentication but may not allow you to truly require it
  • Ensure FIDO2 authentication is required, especially for apps housing sensitive data, and enforce per user, app, geography, or group
Selectively enforce strong authentication image (toggle 1)

Roll out strong authentication everywhere

Roll out strong authentication everywhere image (toggle 1)
ZTNA makes it easy
  • Broad MFA support exists for cloud services, but this can be more difficult with legacy or non-web apps
  • ZTNA acts as an aggregation layer around all your SaaS, self-hosted, and non-web resources, which makes strong authentication easier to enforce across all of them
Roll out strong authentication everywhere image (toggle 1)

End phishing attacks once and for all

Read the solution brief

Sales

Getting Started

Community

Developers

Support

Company

© 2023 Cloudflare, Inc.Privacy PolicyTerms of UseReport Security IssuesTrademark