← Back
Cloudflare
Cloudflare launches mandatory authentication and independent MFA for Zero Trust networks
Cloudflare · featuresecurityplatformapi · blog.cloudflare.com ↗

Mandatory Authentication: Closing the visibility gap

Cloudflare identified a critical security gap in device management: the period between when the Cloudflare One Client is installed (via MDM) and when a user first authenticates, plus the "re-authentication grey zone" when sessions expire. During these windows, devices become unknown and unmanaged, reverting to local machine security policies.

The new mandatory authentication feature addresses this by making the Cloudflare One Client the gatekeeper of internet access from boot time. When enabled via MDM configuration:

  • All internet traffic is blocked by default using the system firewall
  • Only the client's authentication flow is permitted via process-specific exceptions
  • Users are prompted to authenticate before gaining any connectivity

This ensures every managed device is accounted for continuously, eliminating the dangerous "dark corners" where visibility is lost.

Independent MFA: A Secondary Root of Trust

Beyond mandatory authentication, Cloudflare introduced an independent MFA layer that operates separately from identity providers. This is critical because IdPs are high-value targets; if an attacker compromises a user's SSO session through hijacking or social engineering, they effectively gain access to all downstream applications.

Cloudflare's edge-based MFA creates a second authority that must approve access to protected resources. Even with compromised IdP credentials, attackers cannot reach sensitive resources without the second factor. The platform supports multiple MFA methods:

  • Biometrics: Windows Hello, Apple Touch ID, Face ID
  • Security keys: WebAuthn, FIDO2, PIV (for SSH access)
  • TOTP: Authenticator app-based one-time passwords

Granular Control and Flexibility

Administrators can configure MFA policies at multiple levels: globally for all Access applications, or granularly for specific apps and policies. Organizations can require lower assurance methods (e.g., biometrics) for less sensitive resources like chat apps, while enforcing security keys for source code repositories. This approach also enables modern MFA for legacy applications without code changes.

The independent MFA feature is currently in closed beta with new customer onboarding happening weekly. Users can enroll MFA devices through the Cloudflare App Launcher with minimal friction.