I am proud to announce that as of today, Netlify is passwordless. Our employees and contractors made the switch to FIDO2 tokens back in early August and we have required our employees and contractors to use these phishing-proof tokens when accessing the systems and services that protect your data since then. In mid-December we completed our journey and the entire team made the switch to passwordless. This is a huge accomplishment for our team as moving to FIDO2-based authentication is critical to reducing the risks associated with phishing.

What is FIDO2?

FIDO2 stands for Fast Identity Online. FIDO2 is the term for an open standard developed by the Fast Identity Online (FIDO) Alliance, which is an industry consortium of technology firms and other service providers that provide passwordless authentication. The FIDO2 security model eliminates the risks of phishing, all forms of password theft, and replay attacks because there are no passwords or rotating codes to accidentally disclose to an attacker. The credentials are unique across every website, never leave the user's possession, and are never stored on a server.

What does FIDO2 passwordless mean for our customers?

Like many companies out there we have used authenticator apps for years, but like all things, something bigger, faster, and stronger comes along, and in this case, that thing is FIDO2. Requiring our employees to use the lowest friction and strongest available two-factor authentication affirms our #1 priority to keep your data safe and secure.

Can our customers use FIDO2 passwordless authentication?

Yes! Most identity providers (IDPs) including Okta and OneLogin support FIDO2 passwordless and with our enterprise plan, customers can choose to implement single sign-on (SSO) with those identity providers. Should you want to learn more about our implementation, please reach out to security@netlify.com and we’ll be happy to share our experience.

What is passwordless?

In short, going passwordless means transitioning authentication from using something you know to using something you have. Passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. Rather the authentication comes from something you physically possess like a hardware token or key.

How Netlify customers can prevent phishing with FIDO2

Protecting your Netlify accounts takes just a few minutes, and we’re here to help you make that change.

Why should your team adopt FIDO2 for accessing Netlify?

Adopting strong multi-factor authentication (MFA) methods like FIDO2 is extremely important for maintaining the security of your customers' online accounts. Here are some reasons why:

1. Passwords are not enough: Passwords have long been the primary method of authentication for online accounts, but they are no longer considered secure enough on their own. Passwords can be easily guessed, stolen through phishing attacks or social engineering, or compromised through data breaches. By implementing MFA like FIDO2, you add an extra layer of security beyond just a password.
2. Phishing attacks are on the rise: Phishing attacks, where an attacker tricks you into entering your login credentials on a fake website, are becoming more sophisticated and more common. With MFA, even if a user falls for a phishing attack and enters their login credentials on a fake website, the attacker still can't access the account without the second factor of authentication.
3. Protects against credential stuffing: Credential stuffing is a type of cyberattack where an attacker uses stolen login credentials from one site to gain access to other sites. By using MFA like FIDO2, even if an attacker has your password, they can't gain access to your account without the second factor of authentication.
4. Compliance requirements: Many industry and government regulations require the use of MFA to protect sensitive data. Failure to implement strong MFA methods could result in fines, legal liability, and damage to your company's reputation.
5. Ease of use: With FIDO2, users don't have to remember long and complicated passwords. Instead, they can use a physical security key or biometric authentication to quickly and easily access their accounts.

What are some metrics that show the importance of adopting FIDO2?

Phishing attacks are a significant and growing threat to online security, and implementing strong multi-factor authentication (MFA) methods like FIDO2 can help prevent them. Here are some current phishing metrics that can help customers decide to implement FIDO2:

1. Phishing attacks are increasing: According to the 2022 Verizon Data Breach Investigations Report, phishing attacks increased significantly in 2020, accounting for 36% of all data breaches. This highlights the need for additional security measures beyond just passwords.
2. Phishing attacks are successful: Despite increased awareness of phishing attacks, they continue to be successful. In 2020, 17% of all data breaches involved phishing attacks, and 55% of all data breaches involved the use of stolen or compromised credentials, according to the same Verizon report. These statistics demonstrate that relying solely on passwords for authentication is no longer sufficient.
3. Losses from phishing attacks are significant: Phishing attacks can result in significant financial losses for individuals and businesses. According to the FBI's Internet Crime Complaint Center (IC3), phishing attacks resulted in over $54 million in losses in 2020. These losses can include stolen funds, unauthorized access to accounts, and damage to business reputations.
4. MFA can prevent many phishing attacks: Implementing MFA like FIDO2 can prevent many phishing attacks by requiring an additional factor of authentication beyond just a password. According to Microsoft, users who enable MFA for their accounts are 99.9% less likely to be compromised by a phishing attack.

How to protect against phishing attacks on your Netlify accounts

Netlify customers who use our Identity service to authenticate their visitors against their own Identity Provider can prevent phishing by following some best practices around configuring authentication for this configuration.   By implementing 2-factor authentication at, using a FIDO2-capable workflow as a strong authentication method for access to their Netlify-hosted content via a corporate domain.

1. Choose an IDP that supports FIDO2: There are several Identity Providers (IDPs) that support FIDO2 authentication such as Okta, Azure AD, Auth0, and others. Customers can choose the IDP that best fits their needs.
2. Configure the IDP for FIDO2: Once the IDP is chosen, the customer needs to configure it to support FIDO2. This usually involves creating a new FIDO2 application in the IDP, setting up user authentication policies, and generating API keys.
3. Connect Netlify to the IDP: If you will authenticate colleagues who are all from the same email domain (everyone has an @domain.com email address that they must use to log in to your Identity-authenticated site), after the IDP is configured for FIDO2, the next step is to connect Netlify to the IDP. Test the integration: Once the IDP is integrated with Netlify, the customer can test the FIDO2 authentication flow by logging in to the Netlify site using their FIDO2 security key.

Conclusions and lessons learned

Here are some conclusions and lessons learned for our customers that adopt FIDO2:

1. Improved security: Implementing FIDO2 significantly improves the security of online accounts. By using FIDO2, our customers can reduce the risk of password-related attacks, such as credential stuffing and phishing, protect their customers' sensitive data from unauthorized access, and most importantly protect your company's data in Netlify.
2. User experience: FIDO2 is designed to be user-friendly and easy to use, and it can provide a better user experience compared to traditional password-based authentication. Our customers that adopt FIDO2 can benefit from increased user satisfaction and productivity, as users no longer need to remember long and complex passwords.
3. Compliance: For our customers in regulated industries, FIDO2 can help meet compliance requirements for strong authentication. FIDO2 is included in the National Institute of Standards and Technology's (NIST) guidelines for digital authentication, making it a recommended authentication standard for many industries.
4. Cost: Implementing FIDO2 requires some upfront costs, such as purchasing hardware tokens, but in the long run, it can be more cost-effective than traditional password-based authentication. FIDO2 eliminates the need for frequent password resets, which can be a significant cost for companies.

Support:

FIDO2 is a growing standard, and our customers that adopt it can benefit from a large community of developers and vendors who support the standard. This can help with implementation, support, and troubleshooting.