FIDO-based MFA introduces new terminology, such as FIDO2, WebAuthn, hard(ware) keys, security keys, and specifically, the YubiKey (the name of a well-known manufacturer of hardware keys), which we will reference throughout this post. The only phishing-resistant MFA that withstood social engineering and credential stealing attacks were security keys that implement FIDO standards. We had seen evilginx2 and the maturity around phishing push-based mobile authenticators, and TOTP. In 2018, we knew we wanted to migrate to phishing-resistant MFA. A little about the terminology of security keys and what we use Our newer architecture is phish proof and allows us to more easily enforce the least privilege access control.
Today, all Cloudflare employees log in with FIDO2 as their secure multi-factor and authenticate to our systems using our own Zero Trust products. The solution to the phishing problem is through a multi-factor authentication (MFA) protocol called FIDO2/WebAuthn. Happily, we had long done away with TOTP and replaced it with hardware security keys and Cloudflare Access. We recently detailed the mechanics of a phishing attack we prevented, which walks through how attackers can phish applications that are “secured” with second factor authentication methods like TOTP. That architecture has a strong looking exterior, but the security model is weak.
We enforced two-factor authentication with time-based one-time passcodes (TOTP), using an authenticator app like Google Authenticator or Authy when logging into the VPN but only a few internal applications had a second layer of auth. Our employees would use our corporate VPN to connect to all the internal applications and servers to do their jobs. This post is also available in 简体中文, 繁體中文, 日本語, 한국어, Deutsch, Français and Español.Ĭloudflare’s security architecture a few years ago was a classic “castle and moat” VPN architecture.
0 kommentar(er)
