How Cloudflare implemented hardware keys with FIDO2 and Zero Trust to prevent phishing

Cloudflare has transitioned from a traditional "castle and moat" VPN architecture to a more secure multi-factor authentication (MFA) protocol called FIDO2/WebAuthn for its employees. The company now uses hardware security keys, such as YubiKeys, which implement the FIDO standards, making their system phishing-resistant. Cloudflare has also migrated all of its applications and servers to Zero Trust access proxy, allowing secure access to internal sites using security keys. This move has improved role-based access control and enforced the principle of least privilege. The company is now working on integrating security keys with SSH connections for a unified approach to identity and access management.