Securing user access with two-factor authentication (2FA)
Overview
Two-factor authentication (2FA) allows user account owners to add an additional layer of login security to Cloudflare accounts. This additional authentication step requires you to provide both something you know, such as a Cloudflare password, and something you have, such as an authentication code from a mobile device.
Cloudflare offers the option to use either a phishing-resistant security key, like a YubiKey, or a Time-Based One-Time password (TOTP) mobile app for authentication, like Google Authenticator, or both. If you add both of these authentication methods to your account, you are initially prompted to log in with the security key, but can opt-out and use TOTP instead.
To ensure that you can securely access your account even without your mobile device, or security keys, Cloudflare also provides backup codes for download.
As the user account owner, you are automatically assigned the Super Administrator role. Once 2FA is enabled, all Cloudflare account members are required to configure 2FA on their mobile devices.
Enable two-factor authentication for your Cloudflare account
We recommend that all Cloudflare user account holders enable 2FA to keep their accounts secure.
To enable two-factor authentication for your Cloudflare login:
- Log in to the Cloudflare dashboard.
- Under the My Profile dropdown, select My Profile.
- Select the Authentication tab.
- Select Manage in the Two-Factor Authentication card.
- Configure either a TOTP mobile app or a security key to enable 2FA on your account.
Configure security key authentication for two-factor Cloudflare login
A security key provides phishing-resistant multifactor authentication to your Cloudflare account using a built-in authenticator (Apple Touch ID, Android fingerprint, or Windows Hello) or an external hardware key (like YubiKey) that connects to your computer through USB-A, USB-C, NFC, or Bluetooth.
Select Manage to configure 2FA security key authentication after enabling 2FA on your Cloudflare account.
Configure a built-in authenticator (Apple Touch ID, Android fingerprint, or Windows Hello)
- In Security Key Authentication, select Add.
- Enter your Cloudflare password on the Add a Security Key screen, then select Next.
- A dialog appears. Interact with your built-in authenticator to add it to your Cloudflare account.
- Enter a name for the built-in authenticator. If this is the initial setup, you will be prompted to generate backup codes. If not, skip to Step 8.
- Enter your password.
- Select Next again to review your backup codes. Backup codes can be used to access your user account without your mobile device.
- Select Download, Print, or Copy to save your backup codes in a secure location
- Select Next to finish the configuration.
Configure a security key (like YubiKey)
Before you begin, ensure that your hardware security key is configured and plugged in. On a Windows device, you may need to set up Windows Hello or register your security key to your Microsoft account. Review the Windows documentation for more details.
- Once your security key is plugged in, from Security Key Authentication, select Add.
- Enter your Cloudflare password on the Add a Security Key screen, then select Next.
- A dialog appears. Interact with your security key to add it to your Cloudflare account. - Ensure that the dialog is for the security key setup. On a Windows device, if the Windows Hello dialog appears, select Cancel. The security key dialog box will then appear. - Depending on your system, you may be required to register a PIN for the security key.
- Enter a name for the security key. If this is the initial setup, you will be prompted to generate backup codes. If not, skip to Step 8.
- Enter your password.
- Select Next again to review your backup codes. Backup codes can be used to access your user account without your mobile device.
- Select Download, Print, or Copy to save your backup codes in a secure location
- Select Next to finish the configuration.
Configure TOTP mobile app authentication for two-factor Cloudflare login
To enable 2FA mobile app authentication:
1. Under Mobile App Authentication, click Add.
2. Scan the QR code with your mobile device and enter the code from your authenticator app.
3. Enter the code from your authenticator app.
4. Enter your Cloudflare password, then click Next.
- If you can’t scan the QR code, click Can’t scan QR code, Follow alternative steps to configure your authenticator app manually.
5. Enter your Cloudflare password again.
6. Click Next again to review your backup codes. You can use backup codes to access your account without your mobile device.
7. Click Download, Print, or Copy to save the codes, then click Next.
8. Click Next on the backup code page to complete the recovery code set up. Two-Factor Authentication is now Enabled.
Reconfigure TOTP mobile app authentication
You may need to reconfigure your mobile app authentication if you join a new organization or lose access to your mobile device. When you reconfigure your mobile app authentication, your previous TOTP codes are invalid.
To reconfigure, follow the same Steps 1-8 as detailed above.
Regenerate backup codes
Each backup code is one-time use only, but you can always request a new set of backup codes using the Cloudflare dashboard. This is useful if you have lost access to or used all of your previous backup codes.
To regenerate backup codes,
- Log in to the Cloudflare dashboard.
- Click My Profile.
- Click the Authentication tab.
- Click Regenerate to generate and save a new set of two-factor backup codes.
Disable two-factor authentication for your Cloudflare account
To disable 2FA for your Cloudflare account, you must delete all security keys and TOTP authenticators from your account.
To disable 2FA:
- Log in to the Cloudflare dashboard
- Click My Profile.
- Click the Authentication tab.
- To remove your security key:
- Click Edit in the Security Key Authentication card. A drop-down menu shows more details about your security key.
- Click Delete. A pop-up will appear.
- Enter your Cloudflare password, then click Remove.
5. To remove your TOTP mobile app authentication:
- Click Delete method in the Mobile App Authentication card. A popup window appears.
- Enter your Cloudflare password, authenticator app code, or a recovery code, then click Disable.
You might lose access to a mobile device, security key, or authentication code.
Use a backup code
Generally, you can solve these issues by using a backup code or retrieving a backup code from your preferred authentication app.
When setting up 2FA, you should have saved your backup codes in a secure location. To restore lost access using a Cloudflare backup code:
1. Retrieve the backup code from where you stored it.
2. Navigate to the Cloudflare login page.
3. Enter the backup code in the login screen, then click Log in.
Disable 2FA
If you or another account owner still has access to your Cloudflare account, you could disable your 2FA settings.
Recover your account
If you do not have access to your 2FA account or backup codes, use a verified device to request a temporary access code.
1. Log into the Cloudflare dashboard.
2. On the Two-Factor Authentication page, click Can’t access your 2FA device or backup codes?.
3. Click Begin recovery.
4. Using a temporary access code, verify the email address associated with your account.
5. Using a device that you have logged in from before, verify your device. If you clear your cookies often or are logging in from a different IP address, you have wiped our memory of your device and will need to use a different device to verify.
6. For security reasons, you have to wait 3 to 5 days after completing verification to receive your temporary access code.
Still need additional help?
If you are still having issues with your two-factor authentication, follow the instructions provided in the Verify device stage of Recover your account.