Deliver strong MFA for employee web logins with FIDO2

The FIDO2 standard is built to stop even the most sophisticated phishing attacks. It is an easier and faster way for individuals to securely authenticate to web applications. You can use a security key or biometric device to log in without a password, and it just takes seconds.

Built to stop phishing

Phishing attacks rely on attackers tricking users into giving up their credentials, whether it’s through a lookalike domain with a cloned login page or social engineering. Once the attacker has credentials, traditional MFA is not hard to get past. Users believe they are logging in and accept a push notification, or attackers use push notification fatigue, SIM-swap, SMS-intercept, or replay the OTP from SMS or authenticator apps.

FIDO2, backed by the world’s largest and most security conscious companies, stops all these attacks. The security key or biometric backed FIDO2 credential only works on the exact website where the FIDO2 device is registered. The credential cannot be replayed remotely because the private key remains on the FIDO2 device, only solving the cryptographic challenge presented by the trusted domain.

0pass brings enterprise control
with FIDO2 logins

0pass Citadel implements FIDO2 with enterprise controls that tie the credential to a YubiKey, Windows Hello,
Touch ID, Face ID, or Android Thumbprint.

0pass brings enterprise control
with FIDO2 logins

0pass Citadel implements FIDO2 with enterprise controls that tie the credential to a YubiKey, Windows Hello,
Touch ID, Face ID, or Android Thumbprint.

0pass brings enterprise control
with FIDO2 logins

0pass Citadel implements FIDO2 with enterprise controls that tie the credential to a YubiKey, Windows Hello,
Touch ID, Face ID, or Android Thumbprint.

Common MFA attacks
that FIDO2 stops

Chances are, if you get breached, it will involve stolen credentials or phishing. Explore the methods
that attackers commonly use, from technical phishing to social engineering, or a combination of the two.

Replaying the OTP

Attackers send your employees a phishing link which appears to be from their company. The website looks like the website they log into every day. When the victim enters their password on the phishing site, it is replayed to the legitimate site. The phishing site requests the user’s one-time password (OTP). When the user enters it, the attacker replays the OTP into the real web website to gain access.

We’ll give you all the tools you need. We have the tools, configurations, and integrations to get your servers, web apps, and workstations ready.

Works with

Works with

Authenticator App OTP

Authenticator App OTP

SMS OTP

SMS OTP

YubiKey OTP

YubiKey OTP

RSA Token

RSA Token

Stealing the push notification

Stealing the push notification

The attacker follows the same method as the OTP attack, but after replaying a user’s password into the website, they trigger a push notification. The user, believing they are logging in, approve the prompt. Other attacks involve bombarding the user with push notifications or social engineering (posing as IT support) to persuade them to accept the push notification.

We’ll give you all the tools you need. We have the tools, configurations, and integrations to get your servers, web apps, and workstations ready.

The attacker follows the same method as the OTP attack, but after replaying a user’s password into the website, they trigger a push notification. The user, believing they are logging in, approve the prompt. Other attacks involve bombarding the user with push notifications or social engineering (posing as IT support) to persuade them to accept the push notification.

Works with

Works with

Works with

Push Notification from an App

Push Notification from an App

SIM tampering and SMS interception

SMS is famously the most vulnerable OTP code provider. It is the easiest to OTP replay and cellular phone companies can be the victim of social engineering attacks where phone numbers are swapped to the attacker’s SIM card. In a man-in-the-middle attack, the attacker deploys a base station between the victim and a cellular network to intercept the SMS message.

We’ll give you all the tools you need. We have the tools, configurations, and integrations to get your servers, web apps, and workstations ready.

Works with

Works with

Works with

SMS OTP

SMS OTP

Stop the att&ck

Deploying FIDO2 with 0pass helps you defend against the powerful adversarial techniques in the MITRE Att&ck Framework.

Let's talk about your use case

Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.

Access a free trial

Advice from security engineers

See a demo

Let's talk about your use case

Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.

Access a free trial

Advice from security engineers

See a demo

Let's talk about your use case

Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.

Access a free trial

Advice from security engineers

See a demo