While MFA via text message, email, or mobile apps is more secure than single-factor authentication, codes (e.g., TOTP) can be intercepted by attackers.
FIDO2-compliant keys (e.g., YubiKeys), once issued, cannot be intercepted by an attacker and are nearly impossible to steal without physical access.
Identity providers often support keys but may not allow admins to truly require them. Cloudflare simplifies enforcing MFA methods for any app.
More than 130 companies have recently been targeted in a series of similar account takeover attacks through social engineering. Our strong authentication, as part of our larger Zero Trust strategy, caused the threat actor to fail.
Cloudflare’s security team received reports of (1) employees receiving legitimate-looking text messages pointing to what appeared to be (2) Cloudflare’s Okta login page. While the threat actor attempted to log in with compromised credentials (3-4), they could not get past the security key requirement that Cloudflare Zero Trust activated.
While security keys are not a silver bullet against all attacks, they strengthen the barrier and work in conjunction with additional Zero Trust security measures such as DNS filtering, browser isolation, cloud email security, and more.