Introduction
Cloudflare provides the ability for users to have 2FA (two factor authentication). 2FA provides an additional layer of security and must be enabled wherever possible to create a defence in depth security setting. An attacker would not be able to login to an account even if they had the password as the account would require a 2FA token to complete the login process.
A user whose 2FA is disabled could fall prey to a stolen credential attack and could lose access to their accounts to attackers if 2FA is not set up.
In this article we will take a look at how a user can enable 2FA in their Cloudflare account.
Enable 2FA on Cloudflare
Following are the steps to enable 2FA for a Cloudflare account:
-
Login to your Cloudflare account
-
Navigate to My Profile at https://dash.cloudflare.com/profile
-
On the left side menu, click on Authentication
-
Click on Set up button in Two-Factor Authentication section
-
Cloudflare provides two options for setting up 2FA - Security Key Authentication and Mobile App Authentication. In this article we will set up Mobile App Authentication by clicking on Add button
-
Make sure to set up an authenticator app. Scan the QR code. If it is not possible to scan the code you can also set it up manually by using the code provided
-
Provide the code generated by the authenticator app. Provide your account password and click on Next
-
If this is the first time you are enabling 2FA then you will be taken through the recovery code set up. To do this set up, enter your password and click on Next button
Note: If you have generated recovery codes in the past, then the 2FA set up ends here, but also provides you an option to regenerate backup codes in case you want to do so.
-
Download, print, or copy your recovery codes and keep them in a safe place. Click on Next button
-
Once the recovery code set up is complete click on Next
-
Finally we can see that the 2FA has been set up for our Cloudflare account
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.