← Back
Cloudflare
Cloudflare introduces mandatory authentication and independent MFA for continuous device security
Cloudflare · featuresecurityapi · blog.cloudflare.com ↗

Closing the Authentication Gap

Cloudflare has introduced mandatory authentication, a new capability within its One Client that ensures devices remain under security enforcement from the moment they boot up. Previously, there was a critical visibility gap between device installation and user authentication—either when a new device received the Cloudflare One Client via MDM but the user hadn't logged in yet, or when sessions expired and users bypassed re-authentication.

With mandatory authentication enabled, the Cloudflare One Client acts as the gatekeeper for all internet access:

  • Blocks all internet traffic by default using the system firewall until authentication occurs
  • Allows only authentication-related traffic through process-specific exceptions
  • Guides users through authentication with clear prompts, eliminating friction

This ensures every managed device is known and authenticated at all times. The feature will initially launch on Windows, with support for additional platforms to follow.

Independent MFA as a Secondary Root of Trust

Recognizing that identity providers (IdPs) are high-value targets for attackers, Cloudflare is introducing an independent multi-factor authentication system that operates at the network edge, separate from your primary SSO provider. Even if an attacker compromises SSO credentials through session hijacking or social engineering, they'll need a second factor from Cloudflare to access protected resources.

Flexible MFA options available through Cloudflare Access include:

  • Biometrics (Windows Hello, Apple Touch ID, Apple Face ID)
  • Security keys (WebAuthn, FIDO2, PIV for SSH access)
  • Time-based one-time passwords (TOTP) via authenticator apps

Granular Control and Easy Enrollment

Administrators can define MFA requirements globally or apply granular controls per application or policy. For example, organizations can enforce weaker MFA methods for less-sensitive apps like chat, while requiring security keys for source code access. Third-party contractors can be restricted to stronger MFA methods, even if they use personal email or social identity providers.

End users can enroll MFA devices easily through the App Launcher without requiring code changes to legacy applications. The independent MFA feature is currently in closed beta, with new customers being onboarded weekly. Interested organizations can request access through Cloudflare's website.