diff --git a/src/content/changelog/access/2026-04-15-independent-mfa.mdx b/src/content/changelog/access/2026-04-15-independent-mfa.mdx new file mode 100644 index 000000000000000..b4564acc7e1c9e5 --- /dev/null +++ b/src/content/changelog/access/2026-04-15-independent-mfa.mdx @@ -0,0 +1,37 @@ +--- +title: Independent MFA for Access applications +description: Enforce multi-factor authentication for Access applications without relying on your identity provider. +date: 2026-04-15 +products: + - access +--- + +Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider (IdP). This feature addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides. + +Independent MFA supports the following authenticator types: + +- **Authenticator application** — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy. +- **Security key** — Hardware security keys such as YubiKeys. +- **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello. + +:::note +Infrastructure applications do not yet support independent MFA. +::: + +## Configuration levels + +You can configure MFA requirements at three levels: + +| Level | Description | +| ---------------- | -------------------------------------------------------------- | +| **Organization** | Enforce MFA by default for all applications in your account. | +| **Application** | Require or turn off MFA for a specific application. | +| **Policy** | Require or turn off MFA for users who match a specific policy. | + +Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. + +## User enrollment + +Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/AddMfaDevice`. + +To get started with Independent MFA, refer to [Independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/). diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx new file mode 100644 index 000000000000000..e200013c74ec372 --- /dev/null +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -0,0 +1,220 @@ +--- +pcx_content_type: how-to +title: Independent MFA +sidebar: + order: 4 +tags: + - Authentication +--- + +import { Tabs, TabItem, APIRequest, Details } from "~/components"; + +Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application. + +## Supported MFA methods + +| MFA method | Description | +| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. | +| Security key | YubiKeys and hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys. | +| Biometrics | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics. | + +## Turn on independent MFA + +Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa), you must turn on independent MFA at the organization level. + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. +2. Under **Allow multi-factor authentication (MFA)**, select the [MFA methods](#supported-mfa-methods) you want to allow in your organization. +3. Set an **Authentication duration**. This determines how long a user can log in to Access without being prompted for MFA again. If the user does not have an active MFA session for the required authenticator method, they must complete MFA in addition to IdP authentication. +4. (Optional) To apply your MFA methods and authentication duration to all Access applications, select **Apply global MFA settings by default**. You can [override the global MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for individual applications and policies. + :::note + The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. + ::: +4. Select **Save**. + + + +1. Get your existing Zero Trust organization configuration: + + + +2. Send a `PUT` request to update your organization's MFA settings. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. + + + + Set `allowed_authenticators` to an array containing one or more of: + + - `totp` — Authenticator application (time-based one-time passwords). + - `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello). + - `security_key` — Security keys (YubiKeys) + + Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). To require MFA on every access, use `0m`. + + + +After you turn on independent MFA, users can [enroll authenticators](#enroll-authenticators) through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). + +## Turn off independent MFA + +:::caution +Turning off independent MFA removes MFA protection on all Access applications. Before turning off independent MFA, verify that your Access policies provide adequate coverage. Remove [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/) from any applications and policies that use it, then turn off independent MFA at the organization level. +::: + +To turn off independent MFA for the organization: + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. +2. Under **Allow multi-factor authentication (MFA)**, turn off **Apply global MFA settings by default**. +3. Turn off all MFA methods (**Biometrics**, **Security key**, and **Authenticator application**). + +If you get an error updating MFA settings, ensure that you have removed custom MFA settings from all applications and policies. + + + + +1. Get your existing Zero Trust organization configuration: + + + +2. Send a `PUT` request with an empty `allowed_authenticators` array. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. + + + + + +## Enroll authenticators + +Users enroll authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). + +To enroll an authenticator: + +1. Go to your organization's App Launcher at `.cloudflareaccess.com`. +2. Log in with your identity provider or with a one-time PIN (OTP). +3. Go to **Account** > **MFA devices** > **Add an MFA device**. + :::note + Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/AddMfaDevice` + ::: +4. Select the authenticator type you want to enroll and follow the on-screen instructions. + +
+ 1. Select **Authenticator application**. + 2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). Alternatively, you can manually enter the setup key into your authenticator app. Use SHA1 as the hash function and set the time-step size to 30 seconds. + 3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment. + + :::note + You can only have one TOTP authenticator enrolled at a time. If you use multiple devices, scan the same QR code on each device during enrollment. To replace an existing TOTP authenticator, delete it first and then enroll a new one. + ::: +
+ +
+ 1. Select **Security key**. + 2. When your browser prompts you, insert your security key and follow the on-screen instructions. + 3. After your browser confirms the registration, the security key is enrolled. + + You can enroll multiple security keys for backup purposes. +
+ +
+ 1. Select **Biometrics** > **Register biometrics**. + 2. You will be prompted to enroll with an authenticator type that is available on your device (for example, **Add macOS Touch ID** or **Add Windows Hello**). + 3. After your browser confirms the registration, the platform authenticator is enrolled. +
+ +You can now use these authenticators to log in to your organization's applications. + +### Delete an authenticator + +Users can delete their own authenticators from the App Launcher: + +1. Go to your organization's App Launcher at `.cloudflareaccess.com`. +2. Go to **Account** > **MFA devices**. +3. Select the 3-dot menu next to the MFA device, then select **Remove MFA device**. + +Administrators can also [delete authenticators on behalf of users](/cloudflare-one/access-controls/access-settings/independent-mfa/#delete-a-user-authenticator). + +## Manage user authenticators + +Administrators can view and delete authenticators enrolled by users. This is useful for resolving lockouts or responding to security events. + +### View user authenticators + +To view a user's enrolled authenticators: + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**. +2. Select a user. +3. Go to **MFA devices**. Each entry shows the authenticator's ID, its user-configured name, and the MFA method. + +### Delete a user authenticator + +If a user is locked out or you need to revoke an authenticator for security reasons, you can delete it from the dashboard or API. + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**. +2. Select the user whose authenticator you want to delete. +3. Under **MFA devices**, find the authenticator and select **Delete**. + +The user will need to enroll a new authenticator the next time they access an application that requires MFA. + + + +Send a `DELETE` request to remove a specific authenticator: + + + +Parameters: + +- `user_id` — The UUID of the user. You can find this in the user details under **Team & Resources** > **Users**. +- `authenticator_id` — The unique identifier for the authenticator. + + + +### Lockout recovery + +If a user loses access to all of their enrolled authenticators: + +1. [Delete](#delete-a-user-authenticator) the user's authenticators. +2. The user can then access a protected application and will be provided a link to enroll a new authenticator. +3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/AddMfaDevice`. + +:::tip +To prevent lockouts, users should enroll multiple authenticators (for example, a security key and an authenticator application) when available. +::: + +## Related links + +- [Enforce MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx index 566e56bc3359624..75a9cc960281855 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx @@ -4,8 +4,8 @@ title: Session management sidebar: order: 2 tags: -- JSON web token (JWT) -- Authentication + - JSON web token (JWT) + - Authentication --- import { GlossaryTooltip, Render } from "~/components"; @@ -16,9 +16,9 @@ A user session determines how long a user can access an Access application witho When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs): -| Token | Description | Expiration | Storage | -| ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | -| Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration) | Your Cloudflare team domain | +| Token | Description | Expiration | Storage | +| ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | +| Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration) | Your Cloudflare team domain | | [Application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) | Allows the user to access a specific Access application. | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application | The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP. @@ -96,6 +96,9 @@ Users who match a policy configured with a _Same as application session timeout_ When [Device authentication identity](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-client-sessions-in-access) is enabled for an Access application, the Cloudflare One Client session duration takes precedence over all other session durations (application, policy, and global). As long as the Cloudflare One Client session is valid and the user is running the Cloudflare One Client, the user will not be prompted to re-authenticate with the IdP — even if the global session has expired. +### MFA session duration +If you use [independent multi-factor authentication (MFA)](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration determines how long a user can log in to Cloudflare Access without being prompted for MFA. The MFA session is independent of the global, policy, and application session durations. When logging in to an Access app with [MFA enabled](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application), users must complete an MFA challenge if their last MFA authentication falls outside the configured session duration. After authenticating with their identity provider, users are prompted for MFA. The [`CF_Device` cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cf_device) ensures both authentication steps occur on the same device. MFA session durations do not affect how long a user has access to the application (that is controlled by the [application token](#session-durations)). + ### Order of enforcement The following flowchart illustrates how Access enforces user sessions for a self-hosted application. diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx index 120dbd5cc04f27f..e7a924e7105b0a7 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx @@ -69,7 +69,7 @@ The following Access cookies are essential to Access functionality. Cookies that | Details | Expiration | HttpOnly | SameSite | Required? | | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | -| Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) | 30 days | Yes | Strict | Required | +| Cookie set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name), used to prevent abuse of [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/) and [multi-factor authentication](/cloudflare-one/access-controls/access-settings/independent-mfa/) flows | 30 days | Yes | Strict | Required | ## Cookie settings diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx index 4a1d3b0db7aba00..435bf43461df3e0 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx @@ -63,24 +63,26 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce 11. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. -12. (Optional) Turn on **Allow clientless access** to allow users to access this private hostname or IP without the Cloudflare One Client. Users who pass your Access policies will see a tile in their App Launcher which points to a prefixed URL such as `https://.cloudflareaccess.com/browser/https://wiki.internal.local/`. The link will route traffic to the application through [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This setting is useful for users on unmanaged devices or contractors who cannot install a device client. +12. + +13. (Optional) Turn on **Allow clientless access** to allow users to access this private hostname or IP without the Cloudflare One Client. Users who pass your Access policies will see a tile in their App Launcher which points to a prefixed URL such as `https://.cloudflareaccess.com/browser/https://wiki.internal.local/`. The link will route traffic to the application through [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This setting is useful for users on unmanaged devices or contractors who cannot install a device client. :::note Ensure your [remote browser permissions](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) allow users of this application to open Clientless Web Isolation links. ::: -13. +14. -14. Select **Next**. +15. Select **Next**. -15. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). -16. Select **Save**. +17. Select **Save**. Users can now connect to your private application after authenticating with Cloudflare Access. diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx index 807f630288fd1fd..135d1d7dd3d8144 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx @@ -47,9 +47,9 @@ For example, the following table shows an Allow policy with Require and Exclude The Block action in Cloudflare Access prevents users who meet certain criteria from reaching an application. For example, the following table shows a Block policy that blocks requests from Russian source IPs that are not on your [list of approved IPs](/cloudflare-one/reusable-components/lists/). -| Action | Rule type | Selector | Value | -| ------ | --------- | -------- | ----------------- | -| Block | Include | Country | `Russian Federation` | +| Action | Rule type | Selector | Value | +| ------ | --------- | -------- | ------------------------ | +| Block | Include | Country | `Russian Federation` | | | Exclude | IP list | `Corporate IP allowlist` | Block policies are best used in conjunction with [Allow policies](#allow) as a way to carve out exceptions in those Allow policies. Since Access is deny by default, users who do not match a Block policy will still be denied access unless they explicitly match an Allow policy. @@ -87,7 +87,7 @@ When applying a Bypass action, security settings revert to the defaults configur Bypass policies which contain [device posture check](/cloudflare-one/reusable-components/posture-checks/) rules will not function when: - [Zaraz](/zaraz/) is enabled for the zone protected by Access -- A [Worker](/workers/) intercepts the request +- A [Worker](/workers/) intercepts the request To work around these limitations and bypass Access, we recommend changing the policy action to [Service Auth](#service-auth). @@ -95,7 +95,7 @@ To work around these limitations and bypass Access, we recommend changing the po Service Auth rules in Cloudflare Access enforce authentication flows that do not require an identity provider IdP login, such as service tokens and mutual TLS. -The following table shows an example Cloudflare Access Service Auth policy configuration: +The following table shows an example Cloudflare Access Service Auth policy configuration: | Action | Rule type | Selector | | ------------ | --------- | ----------------- | @@ -152,28 +152,28 @@ Non-identity attributes are polled continuously, meaning they are evaluated with **Table: Cloudflare Access policy selectors** -| Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? | -| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ | -| Emails | `you@company.com` | ✅ | ❌ | ✅ | -| Emails ending in | `@company.com` | ✅ | ❌ | ✅ | -| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | -| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | -| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | -| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | -| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ | -| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ | -| Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | -| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | -| User Risk Score | The user's current [risk score](/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | -| Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | -| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ | -| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | -| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | -| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | -| Device posture | Checks device posture signals from the Cloudflare One Client or a third-party service provider. This selector only displays after you create a [device posture check](/cloudflare-one/reusable-components/posture-checks/). | ✅ | ✅ | ❌ | -| Warp | Checks that the device is connected to the Cloudflare One Client, including the consumer version. This selector only displays after you enable the [WARP posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-warp/). | ✅ | ✅ | ❌ | -| Gateway | Checks that the device is connected to your Zero Trust instance through the Cloudflare One Client. This selector only displays after you enable the [Gateway posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). | ✅ | ✅ | ❌ | +| Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? | +| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ | +| Emails | `you@company.com` | ✅ | ❌ | ✅ | +| Emails ending in | `@company.com` | ✅ | ❌ | ✅ | +| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | +| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | +| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | +| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | +| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ | +| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ | +| Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | +| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | +| User Risk Score | The user's current [risk score](/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | +| Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | +| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | +| Authentication Method | Checks the [multi-factor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/). | ✅ | ❌ | ✅ | +| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | +| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | +| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | +| Device posture | Checks device posture signals from the Cloudflare One Client or a third-party service provider. This selector only displays after you create a [device posture check](/cloudflare-one/reusable-components/posture-checks/). | ✅ | ✅ | ❌ | +| Warp | Checks that the device is connected to the Cloudflare One Client, including the consumer version. This selector only displays after you enable the [WARP posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-warp/). | ✅ | ✅ | ❌ | +| Gateway | Checks that the device is connected to your Zero Trust instance through the Cloudflare One Client. This selector only displays after you enable the [Gateway posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). | ✅ | ✅ | ❌ | 1 For SaaS applications, Access can only enforce policies at the time of initial sign on and when reissuing the SaaS session. Once the user has @@ -188,9 +188,9 @@ Connection context is configured per policy, allowing you to grant different per **Table: Cloudflare Access connection context settings by application type:** -| Application type | Available settings | -| --- | --- | -| [Infrastructure (SSH)](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames | +| Application type | Available settings | +| ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------- | +| [Infrastructure (SSH)](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames | | [Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls) | Clipboard controls (copy/paste restrictions) | ## Cloudflare Access policy order of execution diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index f042f7e8cdc4d6a..c02a9da1b2b3ba3 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -4,58 +4,155 @@ title: Enforce MFA sidebar: order: 6 tags: -- SAML -- JSON web token (JWT) -- Authentication + - SAML + - JSON web token (JWT) + - Authentication --- import { GlossaryTooltip } from "~/components"; -With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key. +Cloudflare Access supports two methods of enforcing multi-factor authentication (MFA): -This feature is only available if you are using the following identity providers: +- **[Identity provider-based MFA](#identity-provider-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). +- **[Independent MFA](#independent-mfa)** — Prompt users for a second factor directly in Access, without relying on a third-party identity provider. -- Okta -- Microsoft Entra ID (formerly Azure AD) -- OpenID Connect (OIDC) -- SAML +## Identity provider-based MFA -To enforce an MFA requirement to an application: +You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a security key through their IdP. -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**. +IdP-based MFA enforcement is only available with the following identity providers: -2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/http-apps/). +- [Okta](/cloudflare-one/integrations/identity-providers/okta/) +- [Microsoft Entra ID (formerly Azure AD)](/cloudflare-one/integrations/identity-providers/entra-id/) +- [Generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) +- [Generic SAML 2.0](/cloudflare-one/integrations/identity-providers/generic-saml/) -3. Go to **Policies**. +To enforce an IdP MFA requirement on an application: -4. If your application already has a policy containing an identity requirement, find it and select **Configure**. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. - :::note - The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. - ::: +2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/http-apps/). -5. Add the following rule to the policy: +3. Go to **Policies**. - | Rule type | Selector | Value | - | ---------- | -------- | ------ | - | Require | Authentication method | `mfa - multiple-factor authentication` | +4. If your application already has a policy containing an identity requirement, find it and select **Configure**. -6. Save the policy. + :::note + The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. + ::: -:::caution[Important] +5. Add the following rule to the policy: -**What happens if the user fails to present the required MFA method?** + | Rule type | Selector | Value | + | ---------- | -------- | ------ | + | Require | Authentication method | `mfa - multiple-factor authentication` | -Cloudflare Access will reject the user, even if they successfully login to the identity provider with an alternative method. +6. Save the policy. +:::caution[Important] +If the user fails to present the required MFA method, Cloudflare Access rejects the user, even if they successfully log in to the identity provider with an alternative method. ::: -## Adding authentication methods into the JWT +### Authentication methods in the JWT -When users authenticate with their identity provider, the identity provider then shares their username with Cloudflare Access. Cloudflare Access then writes that value into the JSON Web Token (JWT) generated for the user. +When users authenticate with their identity provider, the IdP shares their username with Cloudflare Access. Access writes that value into the JSON Web Token (JWT) generated for the user. -Certain identity providers can also share the multifactor authentication (MFA) method presented by the user to login. Cloudflare Access can add these values into the JWT and force. For example, if the user authenticated with their password and a physical hard key, the identity provider can send a confirmation to Cloudflare Access. - -Cloudflare Access then stores that method into the same JWT issued to the user. +Certain identity providers also share the MFA method presented by the user. Access can add these values into the JWT. For example, if the user authenticated with their password and a security key, the IdP can send a confirmation to Cloudflare Access. Access then stores that method in the JWT issued to the user. Cloudflare Access follows [RFC 8176](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. + +## Independent MFA + +Independent MFA prompts users for a second factor directly in Access. This allows you to enforce MFA requirements without relying on your IdP's MFA configuration. + +You can configure MFA requirements at three levels: + +| Level | Description | +| ---------------- | -------------------------------------------------------------- | +| [Organization](/cloudflare-one/access-controls/access-settings/independent-mfa/) | Enforce MFA by default for all applications in your account. | +| [Application](#configure-independent-mfa-for-an-application) | Require or turn off MFA for a specific application. | +| [Policy](#configure-independent-mfa-for-a-policy) | Require or turn off MFA for users who match a specific policy. | + +Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. + +### Prerequisites + +Before you configure independent MFA on applications or policies, you must [turn on independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/) at the organization level. + +### Configure independent MFA for an application + +Each application has three MFA options: + +| Option | Behavior | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Respect global enforcement setting** | Uses the [organization-level](/cloudflare-one/access-controls/access-settings/independent-mfa/) MFA configuration. If MFA is required globally, users must complete MFA. If MFA is not required globally, users are not prompted. This is the default. | +| **Custom MFA settings** | Overrides the organization setting with application-specific allowed authenticators and session duration. | +| **Disable MFA** | Users are not prompted for independent MFA when accessing this application, even if MFA is required globally. | + +To configure MFA for an application: + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. +2. Find the application you want to configure and select **Configure**. +3. Scroll down to **Authentication** and select the **MFA**.tab. +4. Select one of the following options: + - To inherit the organization setting, select **Respect global enforcement setting**. + - To set custom requirements, select **Custom MFA settings**, then configure the [allowed MFA methods](/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). + - To exempt the application from MFA, select **Disable MFA**. +5. Select **Save**. + +### Configure independent MFA for a policy + +Each policy has the same three MFA options described in [Configure independent MFA for an application](#configure-independent-mfa-for-an-application). Policy-level settings override application-level settings. + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. +2. Choose an **Allow** policy and select **Configure**. +3. Under **Multi-factor authentication (MFA)**, select an option: + - To inherit the application or organization setting, select **Respect global enforcement setting**. + - To set custom requirements for users who match this policy, select **Custom MFA settings**, then configure the [allowed MFA methods](/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). + - To exempt users who match this policy from MFA, select **Disable MFA**. +4. Select **Save**. + +### MFA session duration + +The MFA session duration determines how long a successful MFA authentication remains valid. After the MFA session expires, the user must complete MFA again on their next Cloudflare Access login in addition to completing IdP authentication. You can require users to complete MFA on each Access login or set a custom duration. MFA session durations are only checked during the login flow and do not affect a user's existing session. + +Access checks MFA sessions from most specific to least specific: + +1. **Policy MFA session duration** — If set, applies to users who match the policy. +2. **Application MFA session duration** — If set, applies to all users accessing the application. +3. **Global MFA session duration** — The default for all applications that do not specify their own duration. + +### Precedence example + +Consider the following configuration: + +```mermaid +flowchart TD + subgraph org["Organization"] + orgSettings["**Apply global MFA settings by default**,
**MFA methods**: Authenticator app + Security key,
**Authentication duration**: 24 hours"] + end + + subgraph appA["Application A"] + appASettings["**Respect global enforcement setting**
(inherits organization settings)"] + subgraph policies["Policies"] + policy1["Policy 1
**Custom MFA settings**,
**MFA methods**: Security keys only,
**Authentication duration**: 1 hour"] + policy2["Policy 2
**Disable MFA**"] + end + end + + subgraph appB["Application B"] + appBSettings["**Disable MFA**"] + end + + orgSettings --> appASettings + orgSettings -.->|"overridden"| appBSettings + appASettings -.->|"overridden by"| policy1 + appASettings -.->|"overridden by"| policy2 +``` + +In this example: + +- Users who access Application A and match Policy 1 must use a security key and re-authenticate every hour. +- Users who access Application A and match Policy 2 are not prompted for MFA. +- Users who access Application A and match neither policy must use an authenticator application or a security key, with a 24-hour session. +- Users who access Application B are not prompted for MFA. diff --git a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx index ec40cf728c17829..fd4d44050df14ca 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx @@ -15,7 +15,7 @@ Access policies define the users who can log in to your Access applications. You To create a reusable Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Select **Add a policy**. 3. Enter a **Policy name**. 4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy. @@ -23,8 +23,9 @@ To create a reusable Access policy: 6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed. 7. (Optional) Configure additional settings for users who match this policy: - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/). - - [Purpose justificaton](/cloudflare-one/access-controls/policies/require-purpose-justification/) + - [Purpose justification](/cloudflare-one/access-controls/policies/require-purpose-justification/) - [Temporary authentication](/cloudflare-one/access-controls/policies/temporary-auth/) + - [Independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa) 8. Select **Save**. You can now add this policy to an [Access application](/cloudflare-one/access-controls/applications/http-apps/). @@ -33,7 +34,7 @@ You can now add this policy to an [Access application](/cloudflare-one/access-co To make changes to an existing Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Locate the policy you want to update and select **Configure**. 3. Once you have made the necessary changes, select **Save**. @@ -43,7 +44,7 @@ The updated policy is now in effect for all associated Access applications. To delete a reusable Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies** and locate the policy you want to delete. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies** and locate the policy you want to delete. 2. If the policy is used by an application, remove the policy from all associated applications. 3. Select **Delete**. 4. A pop-up message will ask you to confirm your decision to delete the policy. Select **Delete**. @@ -60,7 +61,7 @@ The Access policy builder allows you to test your rules before saving any change To test an individual Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Locate the policy you want to test and select **Configure**. 3. Go to **Policy tester** and select **Test policies**. @@ -72,7 +73,7 @@ You can test your Access application policies against your user population befor To test if users have access to an application: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. 2. Locate the application you want to test and select **Configure**. 3. Go to **Policies** > **Policy tester**. 4. To test all active users in your organization, select **Test policies**. diff --git a/src/content/docs/cloudflare-one/faq/general-faq.mdx b/src/content/docs/cloudflare-one/faq/general-faq.mdx index e4e5337301fe3b5..33210784cc39827 100644 --- a/src/content/docs/cloudflare-one/faq/general-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/general-faq.mdx @@ -19,9 +19,10 @@ Cloudflare Gateway's DNS resolver introduces security into this flow. Instead of ## Is multi-factor authentication supported? -Access is subjected to the MFA policies set in your identity provider. For example, users attempting to log in to an Access protected app might log in through Okta. Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. +Access supports two methods of enforcing MFA: -Access does not have an independent or out-of-band MFA feature. +- **Independent MFA** — Access prompts users for a second factor directly, without relying on your identity provider. You can configure MFA requirements per organization, application, or policy. For more information, refer to [Enforce independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa). +- **Identity provider-based MFA** — Access respects the [MFA policies](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) set in your identity provider. For example, if your users are logging into an Access protected app through Okta, Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. ## Which browsers are supported? diff --git a/src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx b/src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx new file mode 100644 index 000000000000000..68e7abe6ce48426 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +(Optional) Configure [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for the application. diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx index 351e44499ee1813..c3c150e406b3da3 100644 --- a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx @@ -23,11 +23,13 @@ import { Render } from "~/components" 12. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. -13. +13. -14. Select **Next**. +14. -15. +15. Select **Next**. -16. Select **Save**. +16. + +17. Select **Save**.