← Back
Cloudflare
Cloudflare introduces mandatory authentication and independent MFA for Zero Trust networks
Cloudflare · featuresecurityplatform · blog.cloudflare.com ↗

Mandatory Authentication from Boot

Cloudflare has introduced mandatory authentication to address the visibility gap that exists when devices boot up or sessions expire. When enabled via MDM configuration, the Cloudflare One Client becomes an enforcer of authentication before any internet access is allowed.

The feature works by:

  • Blocking all internet traffic by default using the system firewall until authentication occurs
  • Allowing authentication flow traffic through process-specific exceptions so users can complete login
  • Prompting users to authenticate with guided workflows to eliminate friction

This ensures that managed devices remain visible and compliant from the moment they power on, eliminating the dangerous grey zone where users might bypass restrictions or leave devices in an unauthenticated state.

Note: Mandatory authentication is initially available on Windows, with other platforms to follow.

Independent MFA as a Secondary Root of Trust

Recognizing that identity providers (IdPs) are high-value targets for attackers, Cloudflare has developed an independent MFA layer that operates at the network edge, separate from your primary SSO provider. This "step-up MFA" adds a second authority that must approve access to protected resources, preventing attackers from fully compromising access even if they breach SSO credentials.

MFA Methods Supported:

  • Biometrics (Windows Hello, Apple Touch ID, Face ID)
  • Security keys (WebAuthn, FIDO2, PIV for SSH)
  • Time-based one-time passwords (TOTP) via authenticator apps

Flexible Configuration: Administrators can set policies globally or apply granular controls per-application or resource. For example, organizations can require security keys for code repository access while allowing biometric authentication for chat applications. This approach also enables modern MFA on legacy applications without code changes.

Cloudflare's independent MFA is currently in closed beta with new customers onboarded weekly. Users can request access and enroll MFA devices through the App Launcher with minimal friction.