← Back
Cloudflare
Cloudflare launches mandatory authentication and independent MFA for continuous enforcement from boot to login
Cloudflare · featuresecurityapi · blog.cloudflare.com ↗

Closing the Authentication Gap

Cloudflare has identified a critical visibility problem in remote access security: the window between device installation and user authentication. This gap occurs in two scenarios—when the Cloudflare One Client is first installed via MDM before the user logs in, or when a session expires and users fail to reauthenticate. During these periods, devices become unknown and visibility is lost.

Mandatory Authentication

To address this, Cloudflare is introducing mandatory authentication, which makes the Cloudflare One Client the gatekeeper of internet access from the moment a machine boots. When enabled:

  • The client blocks all internet traffic by default using the system firewall
  • Only traffic from the authentication flow is allowed via process-specific exceptions
  • Users are prompted to authenticate with guided workflows

This ensures every managed device is accounted for at all times. The feature will launch first on Windows, with other platforms to follow.

Independent MFA as a Secondary Root of Trust

Recognizing that identity providers are high-value targets, Cloudflare is also launching an independent MFA system that operates separately from SSO providers like Okta, Entra ID, or Google. This "step-up MFA" at the network edge requires a second authority to approve access to protected resources—even if primary IdP credentials are compromised, attackers face an additional wall.

Cloudflare Access will support multiple MFA methods:

  • Biometrics: Windows Hello, Apple Touch ID, and Face ID
  • Security keys: WebAuthn, FIDO2, and PIV for SSH access
  • TOTP: Time-based one-time passwords via authenticator apps

Administrators can enforce different MFA levels for different resources—requiring security keys for sensitive access (databases, source code) while allowing lighter authentication for less critical apps. This works for legacy applications without native MFA support.

Availability and Next Steps

Mandatory authentication is rolling out to the Cloudflare One Client on Windows initially. The independent MFA feature is currently in closed beta, with new customers being onboarded weekly. Organizations can request access to the MFA beta to pilot the new capability.