From e41e91e91a7c9feec22a5711bf26f1fe06522e4a Mon Sep 17 00:00:00 2001 From: asamborski Date: Sat, 14 Mar 2026 20:07:48 -0700 Subject: [PATCH 01/21] Initial commit for independent MFA docs + changelog initial commit, missing the bulk of doc update --- .../access/2026-02-27-independent-mfa.mdx | 33 +++++++++++++++++++ .../team-and-resources/users/users.mdx | 1 + 2 files changed, 34 insertions(+) create mode 100644 src/content/changelog/access/2026-02-27-independent-mfa.mdx diff --git a/src/content/changelog/access/2026-02-27-independent-mfa.mdx b/src/content/changelog/access/2026-02-27-independent-mfa.mdx new file mode 100644 index 000000000000000..0f7d262cc06626d --- /dev/null +++ b/src/content/changelog/access/2026-02-27-independent-mfa.mdx @@ -0,0 +1,33 @@ +--- +title: Independent MFA for Access applications +description: Enforce multi-factor authentication for Access applications without relying on your identity provider. +date: 2026-03-06 +products: + - access +--- + +Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider. This feature addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides. + +Independent MFA supports the following authenticator types: + +- **TOTP** — Time-based one-time passwords using apps like Google Authenticator, Microsoft Authenticator, or Authy. +- **Security keys** — Hardware security keys such as YubiKeys. +- **Platform authenticators** — Biometric authentication including macOS Touch ID and Windows Hello. + +## Configuration levels + +You can configure MFA requirements at three levels: + +| Level | Description | +| --- | --- | +| **Organization** | Enforce MFA by default for all applications in your account. | +| **Application** | Require or disable MFA for a specific application. | +| **Policy** | Require or disable MFA for users who match a specific policy. | + +Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. + +## User enrollment + +Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/#/AddMfaDevice`. + +For more information, refer to [Independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements). diff --git a/src/content/docs/cloudflare-one/team-and-resources/users/users.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/users.mdx index 085a0792ee84522..eacc931f05e7f9f 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/users/users.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/users/users.mdx @@ -20,4 +20,5 @@ This page lists all users who have registered the WARP client or authenticated t * **User Registry identity**: Select the user's name to view their last seen identity. This identity is used to evaluate Gateway policies and WARP [device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/). A refresh occurs when the user re-authenticates WARP, logs into an Access application, or has their IdP group membership updated via SCIM provisioning. To track how the user's identity has changed over time, go to the **Audit logs** tab. * **Session identities**: The user's active sessions, the identity used to authenticate each session, and when each session will [expire](/cloudflare-one/access-controls/access-settings/session-management/). * **Devices**: Devices registered to the user via WARP. +* **Multi-factor authentication**: If [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements) is enabled, this section shows the user's enrolled authenticators. Administrators can delete authenticators on behalf of users. * **Recent activities**: The user's five most recent Access login attempts. For more details, refer to your [authentication audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs). From 75f4f55497da6bc734e033db596d220b88c8199a Mon Sep 17 00:00:00 2001 From: asamborski Date: Tue, 7 Apr 2026 15:40:46 -0700 Subject: [PATCH 02/21] First proper draft of MFA docs --- .../access/2026-02-27-independent-mfa.mdx | 33 ---- .../access/2026-03-06-independent-mfa.mdx | 33 ++++ .../access-settings/independent-mfa.mdx | 174 ++++++++++++++++++ .../access-settings/session-management.mdx | 14 +- .../http-apps/saas-apps/generic-oidc-saas.mdx | 6 +- .../http-apps/saas-apps/generic-saml-saas.mdx | 6 +- .../non-http/self-hosted-private-app.mdx | 12 +- .../access-controls/policies/index.mdx | 66 +++---- .../policies/mfa-requirements.mdx | 173 ++++++++++++++--- .../policies/policy-management.mdx | 13 +- .../docs/cloudflare-one/faq/general-faq.mdx | 5 +- .../access/configure-independent-mfa.mdx | 5 + .../self-hosted-app/generic-public-app.mdx | 10 +- 13 files changed, 433 insertions(+), 117 deletions(-) delete mode 100644 src/content/changelog/access/2026-02-27-independent-mfa.mdx create mode 100644 src/content/changelog/access/2026-03-06-independent-mfa.mdx create mode 100644 src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx create mode 100644 src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx diff --git a/src/content/changelog/access/2026-02-27-independent-mfa.mdx b/src/content/changelog/access/2026-02-27-independent-mfa.mdx deleted file mode 100644 index 0f7d262cc06626d..000000000000000 --- a/src/content/changelog/access/2026-02-27-independent-mfa.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Independent MFA for Access applications -description: Enforce multi-factor authentication for Access applications without relying on your identity provider. -date: 2026-03-06 -products: - - access ---- - -Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider. This feature addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides. - -Independent MFA supports the following authenticator types: - -- **TOTP** — Time-based one-time passwords using apps like Google Authenticator, Microsoft Authenticator, or Authy. -- **Security keys** — Hardware security keys such as YubiKeys. -- **Platform authenticators** — Biometric authentication including macOS Touch ID and Windows Hello. - -## Configuration levels - -You can configure MFA requirements at three levels: - -| Level | Description | -| --- | --- | -| **Organization** | Enforce MFA by default for all applications in your account. | -| **Application** | Require or disable MFA for a specific application. | -| **Policy** | Require or disable MFA for users who match a specific policy. | - -Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. - -## User enrollment - -Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/#/AddMfaDevice`. - -For more information, refer to [Independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements). diff --git a/src/content/changelog/access/2026-03-06-independent-mfa.mdx b/src/content/changelog/access/2026-03-06-independent-mfa.mdx new file mode 100644 index 000000000000000..56c3579cf65cedd --- /dev/null +++ b/src/content/changelog/access/2026-03-06-independent-mfa.mdx @@ -0,0 +1,33 @@ +--- +title: Independent MFA for Access applications +description: Enforce multi-factor authentication for Access applications without relying on your identity provider. +date: 2026-03-06 +products: + - access +--- + +Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider (IdP). This feature addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides. + +Independent MFA supports the following authenticator types: + +- **Authenticator application** — Time-based one-time passwords using apps like Google Authenticator, Microsoft Authenticator, or Authy. +- **Security key** — Hardware security keys such as YubiKeys. +- **Biometrics** — Built-in device authenticators including macOS Touch ID, Face ID, and Windows Hello. + +## Configuration levels + +You can configure MFA requirements at three levels: + +| Level | Description | +| ---------------- | -------------------------------------------------------------- | +| **Organization** | Enforce MFA by default for all applications in your account. | +| **Application** | Require or turn off MFA for a specific application. | +| **Policy** | Require or turn off MFA for users who match a specific policy. | + +Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. + +## User enrollment + +Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/#/AddMfaDevice`. + +For more information, refer to [Enforce MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa). diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx new file mode 100644 index 000000000000000..6dbbe54aacbca22 --- /dev/null +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -0,0 +1,174 @@ +--- +pcx_content_type: how-to +title: Independent MFA +sidebar: + order: 4 +tags: + - Authentication +--- + +import { Tabs, TabItem, APIRequest } from "~/components"; + +Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional factor before granting access to the application. + +Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa), you must turn on independent MFA at the organization level. + +## Prerequisites + +- An [authentication domain](/cloudflare-one/setup/) set for your organization. + +## Turn on independent MFA + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. +2. In the **Allow multi-factor authentication (MFA)** section, select the authenticator types you want to allow in your organization: + - **Authenticator application** — Time-based one-time passwords from authenticator apps. + - **Security key** — Hardware security keys such as YubiKeys. + - **Biometrics** — Device-bound authenticators such as macOS Touch ID, Face ID, and Windows Hello. +3. Set a **Global MFA session duration**. This determines how long a successful MFA authentication remains valid before the user must authenticate again. The default is 24 hours. +4. Select **Save**. + + + +Send a `PUT` request to update your Access organization settings with MFA configuration: + + + +Set `allowed_authenticators` to an array containing one or more of: + +- `totp` — Authenticator application (time-based one-time passwords). +- `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello). +- `security_key` — Security keys (YubiKeys). + +Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). + + + +After you turn on independent MFA, users can [enroll authenticators](/cloudflare-one/access-controls/policies/mfa-requirements/#enroll-authenticators) through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). + +## Enforce MFA for all applications + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. +2. In the **Allow multi-factor authentication (MFA)** section, select **Apply global MFA settings by default**. + + + +Send a `PUT` request with `mfa_required_for_all_apps` set to `true`: + + + + + +All Access applications will require MFA using the organization-level settings (allowed authenticators and session duration). Individual applications and policies can override this setting by selecting **Custom MFA settings** or **Disable MFA**. For more information, refer to [Configure independent MFA for an application](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application). + +:::note +The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. +::: + +## Turn off independent MFA + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. +2. In the **Allow multi-factor authentication (MFA)** section, toggle off all authenticator types. If any applications or policies use custom MFA settings, you must remove those custom settings first. + + + +Send a `PUT` request with an empty `allowed_authenticators` array: + + + + + +:::caution +Turning off independent MFA removes MFA enforcement from all applications. Verify that your identity provider MFA policies provide adequate coverage before you turn off this feature. +::: + +## Manage user authenticators + +Administrators can view and delete authenticators enrolled by users. This is useful for resolving lockouts or responding to security events. + +### View user authenticators + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**. +2. Select a user. +3. In the **MFA devices** section, view the user's enrolled authenticators. Each entry shows the MFA ID, device name, and the MFA method. + + + +Send a `GET` request to list all authenticators for a user: + + + + + +### Delete a user authenticator + +If a user is locked out or you need to revoke an authenticator for security reasons, you can delete it from the dashboard or API. + + + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**. +2. Select the user whose authenticator you want to delete. +3. In the **MFA devices** section, find the authenticator and select **Delete**. + +The user will need to enroll a new authenticator the next time they access an application that requires MFA. + + + +Send a `DELETE` request to remove a specific authenticator: + + + +Parameters: + +- `user_id` — The UUID of the user. You can find this in the user details under **Team & Resources** > **Users**. +- `authenticator_id` — The unique identifier for the authenticator. + + + +### Lockout recovery + +If a user loses access to all of their enrolled authenticators: + +1. Delete the user's authenticators using the steps above. +2. The user can then access a protected application and will be provided a link to enroll a new authenticator. +3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/#/AddMfaDevice`. + +:::note +To prevent lockouts, recommend that users enroll multiple authenticators (for example, a security key and an authenticator application) when available. +::: diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx index 566e56bc3359624..5589f09d3eb53b3 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx @@ -4,8 +4,8 @@ title: Session management sidebar: order: 2 tags: -- JSON web token (JWT) -- Authentication + - JSON web token (JWT) + - Authentication --- import { GlossaryTooltip, Render } from "~/components"; @@ -16,9 +16,9 @@ A user session determines how long a user can access an Access application witho When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs): -| Token | Description | Expiration | Storage | -| ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------- | -| Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration) | Your Cloudflare team domain | +| Token | Description | Expiration | Storage | +| ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | +| Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration) | Your Cloudflare team domain | | [Application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) | Allows the user to access a specific Access application. | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application | The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP. @@ -32,6 +32,10 @@ In summary, Access checks sessions from most specific to least specific: 3. **[Application session](#application-session-duration)** — The default policy session duration for all policies in the application. 4. **[Global session](#global-session-duration)** — Controls how often the user must log in to the IdP across all applications. +:::note +If you use [independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration is managed separately from the sessions listed above. A user can have a valid application session but still be prompted for MFA if their MFA session has expired. For more information, refer to [MFA session duration](/cloudflare-one/access-controls/policies/mfa-requirements/#mfa-session-duration). +::: + Refer to the [Order of enforcement](#order-of-enforcement) flowchart for a visual representation. diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx index eef34bc68194cfc..8fa11422e3a9744 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx @@ -62,9 +62,11 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro 14. Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://.example-app.com`) but could be a different value. -15. +15. -16. Select **Save application**. +16. + +17. Select **Save application**. ## 3. Configure SSO in your SaaS application diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx index 6d626f0bd12c377..2b6b34ad78fd47f 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx @@ -58,9 +58,11 @@ If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, 14. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. -15. +15. -16. Select **Save application**. +16. + +17. Select **Save application**. ## 3. Configure SSO in your SaaS application diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx index 5f33cdbd7210c73..d807a2745bdd959 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx @@ -63,24 +63,26 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce 11. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. -12. (Optional) Turn on **Allow clientless access** to allow users to access this private hostname or IP without the Cloudflare One Client. Users who pass your Access policies will see a tile in their App Launcher which points to a prefixed URL such as `https://.cloudflareaccess.com/browser/https://wiki.internal.local/`. The link will route traffic to the application through [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This setting is useful for users on unmanaged devices or contractors who cannot install a device client. +12. + +13. (Optional) Turn on **Allow clientless access** to allow users to access this private hostname or IP without the Cloudflare One Client. Users who pass your Access policies will see a tile in their App Launcher which points to a prefixed URL such as `https://.cloudflareaccess.com/browser/https://wiki.internal.local/`. The link will route traffic to the application through [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/). This setting is useful for users on unmanaged devices or contractors who cannot install a device client. :::note Ensure your [remote browser permissions](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) allow users of this application to open Clientless Web Isolation links. ::: -13. +14. -14. Select **Next**. +15. Select **Next**. -15. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/). -16. Select **Save**. +17. Select **Save**. Users can now connect to your private application after authenticating with Cloudflare Access. diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx index 22e4cd25e182c57..a756bead86b3f0f 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx @@ -47,9 +47,9 @@ For example, this second configuration lets any user from Portugal with a `@team The Block action prevents users who meet certain critera from reaching an application behind Access. For example, the following policy blocks requests from Russian source IPs that are not on your [list of approved IPs](/cloudflare-one/reusable-components/lists/). -| Action | Rule type | Selector | Value | -| ------ | --------- | -------- | ----------------- | -| Block | Include | Country | `Russian Federation` | +| Action | Rule type | Selector | Value | +| ------ | --------- | -------- | ------------------------ | +| Block | Include | Country | `Russian Federation` | | | Exclude | IP list | `Corporate IP allowlist` | Block policies are best used in conjunction with [Allow policies](#allow) as a way to carve out exceptions in those Allow policies. Since Access is deny by default, users who do not match a Block policy will still be denied access unless they explicitly match an Allow policy. @@ -96,11 +96,11 @@ Service Auth rules enforce authentication flows that do not require an identity Rule types determine how your criteria are combined to evaluate a user. All Access policies must contain at least one Include rule. This Include rule defines the initial pool of eligible users who can access an application. You can then add Exclude and Require rules to narrow the scope. -| Rule type | Logic | Effect | -|-----------|-------|--------| -| **Include** | OR | User must match at least one Include rule. | -| **Exclude** | NOT | User matching any Exclude criterion is denied access, even if they match an Include rule. | -| **Require** | AND | User must match all Require criteria in addition to matching an Include rule. | +| Rule type | Logic | Effect | +| ----------- | ----- | ----------------------------------------------------------------------------------------- | +| **Include** | OR | User must match at least one Include rule. | +| **Exclude** | NOT | User matching any Exclude criterion is denied access, even if they match an Include rule. | +| **Require** | AND | User must match all Require criteria in addition to matching an Include rule. | #### Require rules with OR operators @@ -136,28 +136,28 @@ When you add a rule to your policy, you will be asked to specify the criteria/at Non-identity attributes are polled continuously, meaning they are evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership. -| Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? | -| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ | -| Emails | `you@company.com` | ✅ | ❌ | ✅ | -| Emails ending in | `@company.com` | ✅ | ❌ | ✅ | -| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | -| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | -| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | -| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | -| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ | -| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ | -| Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | -| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | -| User Risk Score | The user's current [risk score](/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | -| Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | -| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ | -| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | -| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | -| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | -| Device posture | Checks device posture signals from the Cloudflare One Client or a third-party service provider. This selector only displays after you create a [device posture check](/cloudflare-one/reusable-components/posture-checks/). | ✅ | ✅ | ❌ | -| Warp | Checks that the device is connected to the Cloudflare One Client, including the consumer version. This selector only displays after you enable the [WARP posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-warp/). | ✅ | ✅ | ❌ | -| Gateway | Checks that the device is connected to your Zero Trust instance through the Cloudflare One Client. This selector only displays after you enable the [Gateway posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). | ✅ | ✅ | ❌ | +| Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? | +| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ | +| Emails | `you@company.com` | ✅ | ❌ | ✅ | +| Emails ending in | `@company.com` | ✅ | ❌ | ✅ | +| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/access-controls/policies/external-evaluation/) in an external API. | ✅ | ❌ | ✅ | +| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ | +| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ | +| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ | +| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ | +| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ | +| Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | +| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | +| User Risk Score | The user's current [risk score](/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | +| Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | +| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | +| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-idp-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa). | ✅ | ❌ | ✅ | +| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | +| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | +| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | +| Device posture | Checks device posture signals from the Cloudflare One Client or a third-party service provider. This selector only displays after you create a [device posture check](/cloudflare-one/reusable-components/posture-checks/). | ✅ | ✅ | ❌ | +| Warp | Checks that the device is connected to the Cloudflare One Client, including the consumer version. This selector only displays after you enable the [WARP posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-warp/). | ✅ | ✅ | ❌ | +| Gateway | Checks that the device is connected to your Zero Trust instance through the Cloudflare One Client. This selector only displays after you enable the [Gateway posture check](/cloudflare-one/reusable-components/posture-checks/client-checks/require-gateway/). | ✅ | ✅ | ❌ | 1 For SaaS applications, Access can only enforce policies at the time of initial sign on and when reissuing the SaaS session. Once the user has @@ -172,9 +172,9 @@ Connection context is configured per policy, allowing you to grant different per The available connection context settings depend on the application type: -| Application type | Available settings | -| --- | --- | -| [Infrastructure (SSH)](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames | +| Application type | Available settings | +| ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------- | +| [Infrastructure (SSH)](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) | Allowed UNIX usernames | | [Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/#clipboard-controls) | Clipboard controls (copy/paste restrictions) | ## Order of execution diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index f042f7e8cdc4d6a..812fc15019b1b28 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -4,58 +4,181 @@ title: Enforce MFA sidebar: order: 6 tags: -- SAML -- JSON web token (JWT) -- Authentication + - SAML + - JSON web token (JWT) + - Authentication --- import { GlossaryTooltip } from "~/components"; -With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key. +Cloudflare Access supports two methods of enforcing multi-factor authentication (MFA): + +- **[Identity provider-based MFA](#enforce-idp-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). +- **[Independent MFA](#enforce-independent-mfa)** — Prompt users for a second factor directly in Access, without relying on your IdP. + +## Enforce IdP-based MFA -This feature is only available if you are using the following identity providers: +You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key through their IdP. + +IdP-based MFA enforcement is only available with the following identity providers: - Okta - Microsoft Entra ID (formerly Azure AD) - OpenID Connect (OIDC) - SAML -To enforce an MFA requirement to an application: +To enforce an IdP MFA requirement on an application: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**. +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. -2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/http-apps/). +2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/http-apps/). -3. Go to **Policies**. +3. Go to **Policies**. -4. If your application already has a policy containing an identity requirement, find it and select **Configure**. +4. If your application already has a policy containing an identity requirement, find it and select **Configure**. - :::note - The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. - ::: + :::note + The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a [rule group](/cloudflare-one/access-controls/policies/groups/), email domain, or identity provider group. + ::: -5. Add the following rule to the policy: +5. Add the following rule to the policy: - | Rule type | Selector | Value | - | ---------- | -------- | ------ | - | Require | Authentication method | `mfa - multiple-factor authentication` | + | Rule type | Selector | Value | + | ---------- | -------- | ------ | + | Require | Authentication method | `mfa - multiple-factor authentication` | -6. Save the policy. +6. Save the policy. :::caution[Important] +If the user fails to present the required MFA method, Cloudflare Access rejects the user, even if they successfully log in to the identity provider with an alternative method. +::: + +### Authentication methods in the JWT + +When users authenticate with their identity provider, the IdP shares their username with Cloudflare Access. Access writes that value into the JSON Web Token (JWT) generated for the user. + +Certain identity providers also share the MFA method presented by the user. Access can add these values into the JWT. For example, if the user authenticated with their password and a physical hard key, the IdP can send a confirmation to Cloudflare Access. Access then stores that method in the JWT issued to the user. + +Cloudflare Access follows [RFC 8176](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. + +## Enforce independent MFA + +Independent MFA prompts users for a second factor directly in Access. This allows you to set per-application and per-policy MFA requirements without relying on your IdP's MFA configuration. + +Before you configure independent MFA on applications or policies, you must [turn on independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/) at the organization level. + +### Supported authenticator types + +| Authenticator type | Description | +| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Authenticator application | Time-based one-time passwords generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. | +| Security key | YubiKeys, hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard, are supported. Users can enroll multiple security keys. | +| Biometrics | Built-in device authenticators that use WebAuthn, including macOS Touch ID, Face ID, and Windows Hello. | + +### Configure independent MFA for an application + +Each application has three MFA options: + +| Option | Behavior | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Respect global enforcement setting** | Uses the organization-level MFA configuration. If MFA is required globally, users must complete MFA. If MFA is not required globally, users are not prompted. This is the default. | +| **Custom MFA settings** | Overrides the organization setting with application-specific allowed authenticators and session duration. | +| **Disable MFA** | Users are not prompted for independent MFA when accessing this application, even if MFA is required globally. | + +To configure MFA for an application: + +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. +2. Find the application you want to configure and select **Configure**. +3. In the **Allow multi-factor authentication (MFA)** section, select an option: + - To inherit the organization setting, select **Respect global enforcement setting**. + - To set custom requirements, select **Custom MFA settings**, then configure the **Allowed authenticators** and **MFA session duration**. + - To exempt the application from MFA, select **Disable MFA**. +4. Select **Save**. + +### Configure independent MFA for a policy + +Each policy has the same three MFA options mentioned above. **Policy-level settings override application-level settings.** -**What happens if the user fails to present the required MFA method?** +1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. +2. Choose an **Allow** policy and select **Configure**. +3. In the **Access enforcement** section, select an option: + - To inherit the application or organization setting, select **Respect global enforcement setting**. + - To set custom requirements for users who match this policy, select **Custom MFA settings**, then configure the **Allowed authenticators** and **MFA session duration**. + - To exempt users who match this policy from MFA, select **Disable MFA**. +4. Select **Save**. -Cloudflare Access will reject the user, even if they successfully login to the identity provider with an alternative method. +### MFA session duration +The MFA session duration determines how long a successful MFA authentication remains valid. After the session expires, the user must complete MFA again on their next request. You can require users to MFA on each access or set a custom duration. + +Access checks MFA sessions from most specific to least specific: + +1. **Policy MFA session duration** — If set, applies to users who match the policy. +2. **Application MFA session duration** — If set, applies to all users accessing the application. +3. **Global MFA session duration** — The default for all applications that do not specify their own duration. + +The MFA session is separate from the [Access application session](/cloudflare-one/access-controls/access-settings/session-management/). A user can have a valid application session but still be prompted for MFA if the MFA session has expired. + +### Precedence example + +Consider the following configuration: + +- **Organization**: MFA required for all applications, authenticator application and security key allowed, 24-hour session. +- **Application A**: Set to **Respect global enforcement setting**. Inherits the organization settings. +- **Application B**: Set to **Disable MFA**. +- **Application A, Policy 1**: Set to **Custom MFA settings** — security keys only, 1-hour session. +- **Application A, Policy 2**: Set to **Disable MFA**. + +In this example: + +- Users who access Application A and match Policy 1 must use a security key and re-authenticate every hour. +- Users who access Application A and match Policy 2 are not prompted for MFA. +- Users who access Application A and match neither policy must use an authenticator application or a security key, with a 24-hour session. +- Users who access Application B are not prompted for MFA. + +### Enroll authenticators + +Users enroll authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). Users must have an active Cloudflare account, meaning they have logged in to their Cloudflare organization at least once. + +To enroll: + +1. Go to your organization's App Launcher at `.cloudflareaccess.com`. +2. Log in with your identity provider or with one-time PIN (OTP). +3. In the App Launcher, go to your name in the top right corner > Account > MFA devices > Add an MFA device. +4. Select the authenticator type you want to enroll and follow the on-screen instructions. + +Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/#/AddMfaDevice` + +#### Authenticator application + +1. Select **Authenticator application**. +2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). +3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment. + +:::note +You can only have one TOTP authenticator enrolled at a time. If you use multiple devices, scan the same QR code on each device during enrollment. To replace an existing TOTP authenticator, delete it first and then enroll a new one. ::: -## Adding authentication methods into the JWT +#### Security keys -When users authenticate with their identity provider, the identity provider then shares their username with Cloudflare Access. Cloudflare Access then writes that value into the JSON Web Token (JWT) generated for the user. +1. Select **Security key**. +2. When your browser prompts you, insert your security key and follow the on-screen instructions. +3. After your browser confirms the registration, the security key is enrolled. -Certain identity providers can also share the multifactor authentication (MFA) method presented by the user to login. Cloudflare Access can add these values into the JWT and force. For example, if the user authenticated with their password and a physical hard key, the identity provider can send a confirmation to Cloudflare Access. +You can enroll multiple security keys for backup purposes. -Cloudflare Access then stores that method into the same JWT issued to the user. +#### Biometrics -Cloudflare Access follows [RFC 8176](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. +1. Select **Biometrics** > **Register biometrics**. +2. You will be prompted to enroll with an authenticator type that is available on your device (for example, **Add macOS Touch ID** or **Add Windows Hello**). +3. After your browser confirms the registration, the platform authenticator is enrolled. + +### Delete an authenticator + +Users can delete their own authenticators from the App Launcher: + +1. Go to your organization's App Launcher at `.cloudflareaccess.com`. +2. Navigate to your name in the top right corner > Account > MFA devices. +3. From the 3-dotted menu next to the MFA device, select **Remove MFA device**. + +Administrators can also [delete authenticators on behalf of users](/cloudflare-one/access-controls/access-settings/independent-mfa/#delete-a-user-authenticator). diff --git a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx index 93aa265870ea7fc..29db4bdcbaf3fa2 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx @@ -13,7 +13,7 @@ Access policies define the users who can log in to your Access applications. You To create a reusable Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Select **Add a policy**. 3. Enter a **Policy name**. 4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy. @@ -21,8 +21,9 @@ To create a reusable Access policy: 6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed. 7. (Optional) Configure additional settings for users who match this policy: - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/). - - [Purpose justificaton](/cloudflare-one/access-controls/policies/require-purpose-justification/) + - [Purpose justification](/cloudflare-one/access-controls/policies/require-purpose-justification/) - [Temporary authentication](/cloudflare-one/access-controls/policies/temporary-auth/) + - [Independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa) 8. Select **Save**. You can now add this policy to an [Access application](/cloudflare-one/access-controls/applications/http-apps/). @@ -31,7 +32,7 @@ You can now add this policy to an [Access application](/cloudflare-one/access-co To make changes to an existing Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Locate the policy you want to update and select **Configure**. 3. Once you have made the necessary changes, select **Save**. @@ -41,7 +42,7 @@ The updated policy is now in effect for all associated Access applications. To delete a reusable Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies** and locate the policy you want to delete. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies** and locate the policy you want to delete. 2. If the policy is used by an application, remove the policy from all associated applications. 3. Select **Delete**. 4. A pop-up message will ask you to confirm your decision to delete the policy. Select **Delete**. @@ -58,7 +59,7 @@ The Access policy builder allows you to test your rules before saving any change To test an individual Access policy: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Policies**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Locate the policy you want to test and select **Configure**. 3. Go to **Policy tester** and select **Test policies**. @@ -70,7 +71,7 @@ You can test your Access application policies against your user population befor To test if users have access to an application: -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Access controls** > **Applications**. +1. In [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. 2. Locate the application you want to test and select **Configure**. 3. Go to **Policies** > **Policy tester**. 4. To test all active users in your organization, select **Test policies**. diff --git a/src/content/docs/cloudflare-one/faq/general-faq.mdx b/src/content/docs/cloudflare-one/faq/general-faq.mdx index 24ca17331b2511c..9c6fcd9454850e3 100644 --- a/src/content/docs/cloudflare-one/faq/general-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/general-faq.mdx @@ -17,9 +17,10 @@ Cloudflare Gateway's DNS resolver introduces security into this flow. Instead of ## Is multi-factor authentication supported? -Access is subjected to the MFA policies set in your identity provider. For example, users attempting to log in to an Access protected app might log in through Okta. Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. +Access supports two methods of enforcing MFA: -Access does not have an independent or out-of-band MFA feature. +- **Independent MFA** — Access prompts users for a second factor directly, without relying on your identity provider. You can configure MFA requirements per organization, application, or policy. For more information, refer to [Enforce independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa). +- **IdP-based MFA** — Access respects the [MFA policies](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-idp-based-mfa) set in your identity provider. For example, users attempting to log in to an Access protected app might log in through Okta. Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. ## Which browsers are supported? diff --git a/src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx b/src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx new file mode 100644 index 000000000000000..68e7abe6ce48426 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/configure-independent-mfa.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +(Optional) Configure [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for the application. diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx index 351e44499ee1813..c3c150e406b3da3 100644 --- a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx @@ -23,11 +23,13 @@ import { Render } from "~/components" 12. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. -13. +13. -14. Select **Next**. +14. -15. +15. Select **Next**. -16. Select **Save**. +16. + +17. Select **Save**. From fbbb658992574668d347ff7fde330d49e6804eac Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 8 Apr 2026 19:11:32 -0400 Subject: [PATCH 03/21] independent-mfa updates --- .../access-settings/independent-mfa.mdx | 134 ++++++++++-------- .../policies/mfa-requirements.mdx | 63 +------- 2 files changed, 81 insertions(+), 116 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 6dbbe54aacbca22..111230e722721d7 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -7,31 +7,36 @@ tags: - Authentication --- -import { Tabs, TabItem, APIRequest } from "~/components"; +import { Tabs, TabItem, APIRequest, Details } from "~/components"; -Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional factor before granting access to the application. +Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application. -Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa), you must turn on independent MFA at the organization level. - -## Prerequisites +## Supported MFA methods -- An [authentication domain](/cloudflare-one/setup/) set for your organization. +| MFA method | Description | +| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. | +| Security key | YubiKeys and hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys. | +| Biometrics | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. | ## Turn on independent MFA +Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa), you must turn on independent MFA at the organization level. + 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. -2. In the **Allow multi-factor authentication (MFA)** section, select the authenticator types you want to allow in your organization: - - **Authenticator application** — Time-based one-time passwords from authenticator apps. - - **Security key** — Hardware security keys such as YubiKeys. - - **Biometrics** — Device-bound authenticators such as macOS Touch ID, Face ID, and Windows Hello. -3. Set a **Global MFA session duration**. This determines how long a successful MFA authentication remains valid before the user must authenticate again. The default is 24 hours. +2. Under **Allow multi-factor authentication (MFA)**, select the [MFA methods](#supported-mfa-methods) you want to allow in your organization. +3. Set an **Authentication duration**. This setting determines how long a successful MFA authentication remains valid before the user must authenticate again. The default is 24 hours. +4. (Optional) To apply your MFA methods and authentication duration to all Access applications, select **Apply global MFA settings by default**. You can [override the global MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for individual applications and policies. + :::note + The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. + ::: 4. Select **Save**. -Send a `PUT` request to update your Access organization settings with MFA configuration: +Send a `PUT` request to update your Zero Trust organization with MFA settings: @@ -48,67 +54,90 @@ Set `allowed_authenticators` to an array containing one or more of: - `totp` — Authenticator application (time-based one-time passwords). - `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello). -- `security_key` — Security keys (YubiKeys). +- `security_key` — Security keys (YubiKeys) -Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). +Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). To require MFA on every access, use `0m`. -After you turn on independent MFA, users can [enroll authenticators](/cloudflare-one/access-controls/policies/mfa-requirements/#enroll-authenticators) through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). +After you turn on independent MFA, users can [enroll authenticators](#enroll-authenticators) through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). -## Enforce MFA for all applications +## Turn off independent MFA + +:::caution +Turning off independent MFA removes MFA enforcement from all Cloudflare Access applications. Verify that your Access policies provide adequate coverage before you turn off this feature. +::: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. -2. In the **Allow multi-factor authentication (MFA)** section, select **Apply global MFA settings by default**. +2. Under **Allow multi-factor authentication (MFA)**, turn off all **MFA methods**. If any applications or policies use [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application), you must remove those custom settings first. -Send a `PUT` request with `mfa_required_for_all_apps` set to `true`: +Send a `PUT` request with an empty `allowed_authenticators` array: -All Access applications will require MFA using the organization-level settings (allowed authenticators and session duration). Individual applications and policies can override this setting by selecting **Custom MFA settings** or **Disable MFA**. For more information, refer to [Configure independent MFA for an application](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application). +## Enroll authenticators -:::note -The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. -::: +Users enroll authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). -## Turn off independent MFA +To enroll an authenticator: - +1. Go to your organization's App Launcher at `.cloudflareaccess.com`. +2. Log in with your identity provider or with a one-time PIN (OTP). +3. Go to **Account** > **MFA devices** > **Add an MFA device**. + :::note + Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/AddMfaDevice + ::: +4. Select the authenticator type you want to enroll and follow the on-screen instructions. -1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. -2. In the **Allow multi-factor authentication (MFA)** section, toggle off all authenticator types. If any applications or policies use custom MFA settings, you must remove those custom settings first. +
+ 1. Select **Authenticator application**. + 2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). + 3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment. - + :::note + You can only have one TOTP authenticator enrolled at a time. If you use multiple devices, scan the same QR code on each device during enrollment. To replace an existing TOTP authenticator, delete it first and then enroll a new one. + ::: +
-Send a `PUT` request with an empty `allowed_authenticators` array: +
+ 1. Select **Security key**. + 2. When your browser prompts you, insert your security key and follow the on-screen instructions. + 3. After your browser confirms the registration, the security key is enrolled. - + You can enroll multiple security keys for backup purposes. +
- +
+ 1. Select **Biometrics** > **Register biometrics**. + 2. You will be prompted to enroll with an authenticator type that is available on your device (for example, **Add macOS Touch ID** or **Add Windows Hello**). + 3. After your browser confirms the registration, the platform authenticator is enrolled. +
-:::caution -Turning off independent MFA removes MFA enforcement from all applications. Verify that your identity provider MFA policies provide adequate coverage before you turn off this feature. -::: +You can now use these authenticators to log in to your organization's applications. + +### Delete an authenticator + +Users can delete their own authenticators from the App Launcher: + +1. Go to your organization's App Launcher at `.cloudflareaccess.com`. +2. Go to **Account** > **MFA devices**. +3. Select the 3-dot menu next to the MFA device, then select **Remove MFA device**. + +Administrators can also [delete authenticators on behalf of users](/cloudflare-one/access-controls/access-settings/independent-mfa/#delete-a-user-authenticator). ## Manage user authenticators @@ -116,22 +145,11 @@ Administrators can view and delete authenticators enrolled by users. This is use ### View user authenticators - +To view a user's enrolled authenticators: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**. 2. Select a user. -3. In the **MFA devices** section, view the user's enrolled authenticators. Each entry shows the MFA ID, device name, and the MFA method. - - - -Send a `GET` request to list all authenticators for a user: - - - - +3. Go to **MFA devices**. Each entry shows the authenticator's ID, its user-configured name, and the MFA method. ### Delete a user authenticator @@ -141,7 +159,7 @@ If a user is locked out or you need to revoke an authenticator for security reas 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**. 2. Select the user whose authenticator you want to delete. -3. In the **MFA devices** section, find the authenticator and select **Delete**. +3. Under **MFA devices**, find the authenticator and select **Delete**. The user will need to enroll a new authenticator the next time they access an application that requires MFA. @@ -165,10 +183,10 @@ Parameters: If a user loses access to all of their enrolled authenticators: -1. Delete the user's authenticators using the steps above. +1. [Delete](#delete-a-user-authenticator) the user's authenticators. 2. The user can then access a protected application and will be provided a link to enroll a new authenticator. 3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/#/AddMfaDevice`. -:::note +:::tip To prevent lockouts, recommend that users enroll multiple authenticators (for example, a security key and an authenticator application) when available. ::: diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index 812fc15019b1b28..5c0a7b96b08d4dd 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -14,9 +14,9 @@ import { GlossaryTooltip } from "~/components"; Cloudflare Access supports two methods of enforcing multi-factor authentication (MFA): - **[Identity provider-based MFA](#enforce-idp-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). -- **[Independent MFA](#enforce-independent-mfa)** — Prompt users for a second factor directly in Access, without relying on your IdP. +- **[Independent MFA](#enforce-independent-mfa)** — Prompt users for a second factor directly in Access, without relying on a third-party identity provider. -## Enforce IdP-based MFA +## Identity provider MFA You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key through their IdP. @@ -61,19 +61,13 @@ Certain identity providers also share the MFA method presented by the user. Acce Cloudflare Access follows [RFC 8176](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. -## Enforce independent MFA +## Independent MFA Independent MFA prompts users for a second factor directly in Access. This allows you to set per-application and per-policy MFA requirements without relying on your IdP's MFA configuration. -Before you configure independent MFA on applications or policies, you must [turn on independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/) at the organization level. - -### Supported authenticator types +### Prerequisites -| Authenticator type | Description | -| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Authenticator application | Time-based one-time passwords generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. | -| Security key | YubiKeys, hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard, are supported. Users can enroll multiple security keys. | -| Biometrics | Built-in device authenticators that use WebAuthn, including macOS Touch ID, Face ID, and Windows Hello. | +Before you configure independent MFA on applications or policies, you must [turn on independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/) at the organization level. ### Configure independent MFA for an application @@ -135,50 +129,3 @@ In this example: - Users who access Application A and match Policy 2 are not prompted for MFA. - Users who access Application A and match neither policy must use an authenticator application or a security key, with a 24-hour session. - Users who access Application B are not prompted for MFA. - -### Enroll authenticators - -Users enroll authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). Users must have an active Cloudflare account, meaning they have logged in to their Cloudflare organization at least once. - -To enroll: - -1. Go to your organization's App Launcher at `.cloudflareaccess.com`. -2. Log in with your identity provider or with one-time PIN (OTP). -3. In the App Launcher, go to your name in the top right corner > Account > MFA devices > Add an MFA device. -4. Select the authenticator type you want to enroll and follow the on-screen instructions. - -Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/#/AddMfaDevice` - -#### Authenticator application - -1. Select **Authenticator application**. -2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). -3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment. - -:::note -You can only have one TOTP authenticator enrolled at a time. If you use multiple devices, scan the same QR code on each device during enrollment. To replace an existing TOTP authenticator, delete it first and then enroll a new one. -::: - -#### Security keys - -1. Select **Security key**. -2. When your browser prompts you, insert your security key and follow the on-screen instructions. -3. After your browser confirms the registration, the security key is enrolled. - -You can enroll multiple security keys for backup purposes. - -#### Biometrics - -1. Select **Biometrics** > **Register biometrics**. -2. You will be prompted to enroll with an authenticator type that is available on your device (for example, **Add macOS Touch ID** or **Add Windows Hello**). -3. After your browser confirms the registration, the platform authenticator is enrolled. - -### Delete an authenticator - -Users can delete their own authenticators from the App Launcher: - -1. Go to your organization's App Launcher at `.cloudflareaccess.com`. -2. Navigate to your name in the top right corner > Account > MFA devices. -3. From the 3-dotted menu next to the MFA device, select **Remove MFA device**. - -Administrators can also [delete authenticators on behalf of users](/cloudflare-one/access-controls/access-settings/independent-mfa/#delete-a-user-authenticator). From 6e46087a758eadbd66f49d459507540f310c9375 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 14:32:09 -0400 Subject: [PATCH 04/21] small changelog edits --- src/content/changelog/access/2026-03-06-independent-mfa.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/changelog/access/2026-03-06-independent-mfa.mdx b/src/content/changelog/access/2026-03-06-independent-mfa.mdx index 56c3579cf65cedd..c479025e6055997 100644 --- a/src/content/changelog/access/2026-03-06-independent-mfa.mdx +++ b/src/content/changelog/access/2026-03-06-independent-mfa.mdx @@ -10,7 +10,7 @@ Cloudflare Access now supports independent multi-factor authentication (MFA), al Independent MFA supports the following authenticator types: -- **Authenticator application** — Time-based one-time passwords using apps like Google Authenticator, Microsoft Authenticator, or Authy. +- **Authenticator application** — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy. - **Security key** — Hardware security keys such as YubiKeys. - **Biometrics** — Built-in device authenticators including macOS Touch ID, Face ID, and Windows Hello. @@ -28,6 +28,6 @@ Settings at lower levels (policy) override settings at higher levels (organizati ## User enrollment -Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/#/AddMfaDevice`. +Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/AddMfaDevice`. -For more information, refer to [Enforce MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa). +To get started with Independent MFA, refer to [Independent MFA](/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa/). From d1a6154cf305076cbcbadc9257665335efd6872a Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 14:33:14 -0400 Subject: [PATCH 05/21] edit lockout recovery note --- .../access-controls/access-settings/independent-mfa.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 111230e722721d7..c31ed68daf3bfdb 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -188,5 +188,5 @@ If a user loses access to all of their enrolled authenticators: 3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/#/AddMfaDevice`. :::tip -To prevent lockouts, recommend that users enroll multiple authenticators (for example, a security key and an authenticator application) when available. +To prevent lockouts, users should enroll multiple authenticators (for example, a security key and an authenticator application) when available. ::: From b019daf571ce3738cfd7122ff07f329b8f94c134 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 14:43:23 -0400 Subject: [PATCH 06/21] clarify PUT instructions --- .../access-settings/independent-mfa.mdx | 75 ++++++++++++------- 1 file changed, 47 insertions(+), 28 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index c31ed68daf3bfdb..068c3ea43de1b27 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -36,27 +36,36 @@ Before you can [enforce independent MFA on applications and policies](/cloudflar -Send a `PUT` request to update your Zero Trust organization with MFA settings: +1. Get your existing Zero Trust organization configuration: - + + +2. Send a `PUT` request to update your organization's MFA settings. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. -Set `allowed_authenticators` to an array containing one or more of: + -- `totp` — Authenticator application (time-based one-time passwords). -- `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello). -- `security_key` — Security keys (YubiKeys) + Set `allowed_authenticators` to an array containing one or more of: -Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). To require MFA on every access, use `0m`. + - `totp` — Authenticator application (time-based one-time passwords). + - `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello). + - `security_key` — Security keys (YubiKeys) + + Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). To require MFA on every access, use `0m`. @@ -75,17 +84,27 @@ Turning off independent MFA removes MFA enforcement from all Cloudflare Access a -Send a `PUT` request with an empty `allowed_authenticators` array: - +1. Get your existing Zero Trust organization configuration: + + + +2. Send a `PUT` request with an empty `allowed_authenticators` array. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. + + @@ -99,7 +118,7 @@ To enroll an authenticator: 2. Log in with your identity provider or with a one-time PIN (OTP). 3. Go to **Account** > **MFA devices** > **Add an MFA device**. :::note - Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/AddMfaDevice + Administrators can also share a direct enrollment link to help onboard users: `.cloudflareaccess.com/AddMfaDevice` ::: 4. Select the authenticator type you want to enroll and follow the on-screen instructions. From 842beb8338bc465ff24d8ce3f36d4e3627d11d38 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 18:19:42 -0400 Subject: [PATCH 07/21] clarify MFA duration --- .../access-controls/access-settings/independent-mfa.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 068c3ea43de1b27..1510e2fde98383a 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -27,7 +27,7 @@ Before you can [enforce independent MFA on applications and policies](/cloudflar 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. 2. Under **Allow multi-factor authentication (MFA)**, select the [MFA methods](#supported-mfa-methods) you want to allow in your organization. -3. Set an **Authentication duration**. This setting determines how long a successful MFA authentication remains valid before the user must authenticate again. The default is 24 hours. +3. Set an **Authentication duration**. This determines how long a user can log in to Access without being prompted for MFA again. If the MFA duration has expired, the user must complete MFA in addition to IdP authentication. 4. (Optional) To apply your MFA methods and authentication duration to all Access applications, select **Apply global MFA settings by default**. You can [override the global MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for individual applications and policies. :::note The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. From 85164290695ea1e75beac93bedb9040a93a86026 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 18:28:58 -0400 Subject: [PATCH 08/21] CF_Device cookie --- .../applications/http-apps/authorization-cookie/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx index 120dbd5cc04f27f..e7a924e7105b0a7 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx @@ -69,7 +69,7 @@ The following Access cookies are essential to Access functionality. Cookies that | Details | Expiration | HttpOnly | SameSite | Required? | | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- | -| Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) | 30 days | Yes | Strict | Required | +| Cookie set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name), used to prevent abuse of [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/) and [multi-factor authentication](/cloudflare-one/access-controls/access-settings/independent-mfa/) flows | 30 days | Yes | Strict | Required | ## Cookie settings From 08850a220cf1fe0161b337e16e417dc18fc3dadc Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 19:30:34 -0400 Subject: [PATCH 09/21] MFA sessions --- .../access-settings/session-management.mdx | 7 +- .../policies/mfa-requirements.mdx | 69 +++++++++++++------ 2 files changed, 51 insertions(+), 25 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx index 5589f09d3eb53b3..1585e9b73a1b94b 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx @@ -32,10 +32,6 @@ In summary, Access checks sessions from most specific to least specific: 3. **[Application session](#application-session-duration)** — The default policy session duration for all policies in the application. 4. **[Global session](#global-session-duration)** — Controls how often the user must log in to the IdP across all applications. -:::note -If you use [independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration is managed separately from the sessions listed above. A user can have a valid application session but still be prompted for MFA if their MFA session has expired. For more information, refer to [MFA session duration](/cloudflare-one/access-controls/policies/mfa-requirements/#mfa-session-duration). -::: - Refer to the [Order of enforcement](#order-of-enforcement) flowchart for a visual representation. @@ -100,6 +96,9 @@ Users who match a policy configured with a _Same as application session timeout_ When [Device authentication identity](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-client-sessions-in-access) is enabled for an Access application, the Cloudflare One Client session duration takes precedence over all other session durations (application, policy, and global). As long as the Cloudflare One Client session is valid and the user is running the Cloudflare One Client, the user will not be prompted to re-authenticate with the IdP — even if the global session has expired. +### MFA session duration +If you use [independent multi-factor authentication (MFA)](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration determines how long a user can log in to Cloudflare Access without being prompted for MFA. The MFA session is independent of the global, policy, and application session durations. When a user logs in to an Access app, Access compares the age of the [`CF_Device` cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cf_device) against the configured MFA duration — if the cookie is older, the user must complete an additional MFA step after authenticating with the IdP. MFA session durations do not affect how long a user has access to the application (that is controlled by the [application token](#session-durations)). + ### Order of enforcement The following flowchart illustrates how Access enforces user sessions for a self-hosted application. diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index 5c0a7b96b08d4dd..ea9c89e572a81ad 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -16,16 +16,16 @@ Cloudflare Access supports two methods of enforcing multi-factor authentication - **[Identity provider-based MFA](#enforce-idp-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). - **[Independent MFA](#enforce-independent-mfa)** — Prompt users for a second factor directly in Access, without relying on a third-party identity provider. -## Identity provider MFA +## Identity provider-based MFA You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key through their IdP. IdP-based MFA enforcement is only available with the following identity providers: -- Okta -- Microsoft Entra ID (formerly Azure AD) -- OpenID Connect (OIDC) -- SAML +- [Okta](/cloudflare-one/integrations/identity-providers/okta/) +- [Microsoft Entra ID (formerly Azure AD)](/cloudflare-one/integrations/identity-providers/entra-id/) +- [Generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) +- [Generic SAML 2.0](/cloudflare-one/integrations/identity-providers/generic-saml/) To enforce an IdP MFA requirement on an application: @@ -63,7 +63,17 @@ Cloudflare Access follows [RFC 8176](https://tools.ietf.org/html/rfc8176), Authe ## Independent MFA -Independent MFA prompts users for a second factor directly in Access. This allows you to set per-application and per-policy MFA requirements without relying on your IdP's MFA configuration. +Independent MFA prompts users for a second factor directly in Access. This allows you to enforce MFA requirements without relying on your IdP's MFA configuration. + +You can configure MFA requirements at three levels: + +| Level | Description | +| ---------------- | -------------------------------------------------------------- | +| [Organization](/cloudflare-one/access-controls/access-settings/independent-mfa/) | Enforce MFA by default for all applications in your account. | +| [Application](#configure-independent-mfa-for-an-application) | Require or turn off MFA for a specific application. | +| [Policy](#configure-independent-mfa-for-a-policy) | Require or turn off MFA for users who match a specific policy. | + +Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement. ### Prerequisites @@ -75,7 +85,7 @@ Each application has three MFA options: | Option | Behavior | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Respect global enforcement setting** | Uses the organization-level MFA configuration. If MFA is required globally, users must complete MFA. If MFA is not required globally, users are not prompted. This is the default. | +| **Respect global enforcement setting** | Uses the [organization-level](/cloudflare-one/access-controls/access-settings/independent-mfa/) MFA configuration. If MFA is required globally, users must complete MFA. If MFA is not required globally, users are not prompted. This is the default. | | **Custom MFA settings** | Overrides the organization setting with application-specific allowed authenticators and session duration. | | **Disable MFA** | Users are not prompted for independent MFA when accessing this application, even if MFA is required globally. | @@ -83,27 +93,28 @@ To configure MFA for an application: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. 2. Find the application you want to configure and select **Configure**. -3. In the **Allow multi-factor authentication (MFA)** section, select an option: +3. Select the **Login settings** tab. +4. Under **Allow multi-factor authentication (MFA)**, select one of the following options: - To inherit the organization setting, select **Respect global enforcement setting**. - - To set custom requirements, select **Custom MFA settings**, then configure the **Allowed authenticators** and **MFA session duration**. + - To set custom requirements, select **Custom MFA settings**, then configure the [allowed MFA methods](/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). - To exempt the application from MFA, select **Disable MFA**. -4. Select **Save**. +5. Select **Save**. ### Configure independent MFA for a policy -Each policy has the same three MFA options mentioned above. **Policy-level settings override application-level settings.** +Each policy has the same three MFA options described in [Configure independent MFA for an application](#configure-independent-mfa-for-an-application). Policy-level settings override application-level settings. 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Policies**. 2. Choose an **Allow** policy and select **Configure**. -3. In the **Access enforcement** section, select an option: +3. Under **Multi-factor authentication (MFA)**, select an option: - To inherit the application or organization setting, select **Respect global enforcement setting**. - - To set custom requirements for users who match this policy, select **Custom MFA settings**, then configure the **Allowed authenticators** and **MFA session duration**. + - To set custom requirements for users who match this policy, select **Custom MFA settings**, then configure the [allowed MFA methods](/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). - To exempt users who match this policy from MFA, select **Disable MFA**. 4. Select **Save**. ### MFA session duration -The MFA session duration determines how long a successful MFA authentication remains valid. After the session expires, the user must complete MFA again on their next request. You can require users to MFA on each access or set a custom duration. +The MFA session duration determines how long a successful MFA authentication remains valid. After the MFA session expires, the user must complete MFA again on their next Cloudflare Access login in addition to completing IdP authentication. You can require users to complete MFA on each Access login or set a custom duration. MFA session durations are only checked during the login flow and do not affect a user's existing session. Access checks MFA sessions from most specific to least specific: @@ -111,17 +122,33 @@ Access checks MFA sessions from most specific to least specific: 2. **Application MFA session duration** — If set, applies to all users accessing the application. 3. **Global MFA session duration** — The default for all applications that do not specify their own duration. -The MFA session is separate from the [Access application session](/cloudflare-one/access-controls/access-settings/session-management/). A user can have a valid application session but still be prompted for MFA if the MFA session has expired. - ### Precedence example Consider the following configuration: -- **Organization**: MFA required for all applications, authenticator application and security key allowed, 24-hour session. -- **Application A**: Set to **Respect global enforcement setting**. Inherits the organization settings. -- **Application B**: Set to **Disable MFA**. -- **Application A, Policy 1**: Set to **Custom MFA settings** — security keys only, 1-hour session. -- **Application A, Policy 2**: Set to **Disable MFA**. +```mermaid +flowchart TD + subgraph org["Organization"] + orgSettings["**Apply global MFA settings by default**,
**MFA methods**: Authenticator app + Security key,
**Authentication duration**: 24 hours"] + end + + subgraph appA["Application A"] + appASettings["**Respect global enforcement setting**
(inherits organization settings)"] + subgraph policies["Policies"] + policy1["Policy 1
**Custom MFA settings**,
**MFA methods**: Security keys only,
**Authentication duration**: 1 hour"] + policy2["Policy 2
**Disable MFA**"] + end + end + + subgraph appB["Application B"] + appBSettings["**Disable MFA**"] + end + + orgSettings --> appASettings + orgSettings -.->|"overridden"| appBSettings + appASettings -.->|"overridden by"| policy1 + appASettings -.->|"overridden by"| policy2 +``` In this example: From dc4f2ddbce747f4b45a953452debcddcfa79f4ca Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 19:39:46 -0400 Subject: [PATCH 10/21] fix links --- .../access-controls/access-settings/independent-mfa.mdx | 2 +- .../docs/cloudflare-one/access-controls/policies/index.mdx | 2 +- .../access-controls/policies/mfa-requirements.mdx | 4 ++-- .../access-controls/policies/policy-management.mdx | 2 +- src/content/docs/cloudflare-one/faq/general-faq.mdx | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 1510e2fde98383a..9935b8e0a0a04b1 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -21,7 +21,7 @@ Independent multi-factor authentication (MFA) allows you to enforce MFA requirem ## Turn on independent MFA -Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa), you must turn on independent MFA at the organization level. +Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa), you must turn on independent MFA at the organization level. diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx index a756bead86b3f0f..7d02eed7ba6360a 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx @@ -151,7 +151,7 @@ Non-identity attributes are polled continuously, meaning they are evaluated with | User Risk Score | The user's current [risk score](/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | | Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-idp-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa). | ✅ | ❌ | ✅ | +| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa). | ✅ | ❌ | ✅ | | Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | | SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | | OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index ea9c89e572a81ad..9b64bbffba15473 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -13,8 +13,8 @@ import { GlossaryTooltip } from "~/components"; Cloudflare Access supports two methods of enforcing multi-factor authentication (MFA): -- **[Identity provider-based MFA](#enforce-idp-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). -- **[Independent MFA](#enforce-independent-mfa)** — Prompt users for a second factor directly in Access, without relying on a third-party identity provider. +- **[Identity provider-based MFA](#identity-provider-based-mfa)** — Require specific MFA methods reported by your identity provider (IdP). +- **[Independent MFA](#independent-mfa)** — Prompt users for a second factor directly in Access, without relying on a third-party identity provider. ## Identity provider-based MFA diff --git a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx index 29db4bdcbaf3fa2..c836bf99cf134f8 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx @@ -23,7 +23,7 @@ To create a reusable Access policy: - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/). - [Purpose justification](/cloudflare-one/access-controls/policies/require-purpose-justification/) - [Temporary authentication](/cloudflare-one/access-controls/policies/temporary-auth/) - - [Independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa) + - [Independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa) 8. Select **Save**. You can now add this policy to an [Access application](/cloudflare-one/access-controls/applications/http-apps/). diff --git a/src/content/docs/cloudflare-one/faq/general-faq.mdx b/src/content/docs/cloudflare-one/faq/general-faq.mdx index 9c6fcd9454850e3..fe96aad62e34b8a 100644 --- a/src/content/docs/cloudflare-one/faq/general-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/general-faq.mdx @@ -19,8 +19,8 @@ Cloudflare Gateway's DNS resolver introduces security into this flow. Instead of Access supports two methods of enforcing MFA: -- **Independent MFA** — Access prompts users for a second factor directly, without relying on your identity provider. You can configure MFA requirements per organization, application, or policy. For more information, refer to [Enforce independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-independent-mfa). -- **IdP-based MFA** — Access respects the [MFA policies](/cloudflare-one/access-controls/policies/mfa-requirements/#enforce-idp-based-mfa) set in your identity provider. For example, users attempting to log in to an Access protected app might log in through Okta. Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. +- **Independent MFA** — Access prompts users for a second factor directly, without relying on your identity provider. You can configure MFA requirements per organization, application, or policy. For more information, refer to [Enforce independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa). +- **Identity provider-based MFA** — Access respects the [MFA policies](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) set in your identity provider. For example, if your users logging into an Access protected app through Okta, Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. ## Which browsers are supported? From 983965f8be15e2d4665b96118e603bcb3f9cd8d6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 19:49:58 -0400 Subject: [PATCH 11/21] add related link --- .../access-controls/access-settings/independent-mfa.mdx | 4 ++++ .../docs/cloudflare-one/access-controls/policies/index.mdx | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 9935b8e0a0a04b1..d0b16c4ede95b02 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -209,3 +209,7 @@ If a user loses access to all of their enrolled authenticators: :::tip To prevent lockouts, users should enroll multiple authenticators (for example, a security key and an authenticator application) when available. ::: + +## Related links + +- [Enforce MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/) diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx index 7d02eed7ba6360a..bb1c9b560a8199c 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx @@ -151,7 +151,7 @@ Non-identity attributes are polled continuously, meaning they are evaluated with | User Risk Score | The user's current [risk score](/cloudflare-one/team-and-resources/users/risk-score/) (Low, Medium, or High). Acts as a threshold — users with a score at or below the specified level pass the check. This selector only displays for Enterprise plans. | ✅ | ✅ | ✅ | | Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ | | Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa). | ✅ | ❌ | ✅ | +| Authentication Method | Checks the [multi-factor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) method used by the user, if supported by the identity provider. To enforce MFA independently of your IdP, refer to [independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/). | ✅ | ❌ | ✅ | | Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ | | SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider. | ✅ | ❌ | ✅ | | OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider. | ✅ | ❌ | ✅ | From a8b38eef043eadfd31351f2b63a699796a19e7a6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Thu, 9 Apr 2026 20:11:46 -0400 Subject: [PATCH 12/21] fix link --- src/content/changelog/access/2026-03-06-independent-mfa.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/access/2026-03-06-independent-mfa.mdx b/src/content/changelog/access/2026-03-06-independent-mfa.mdx index c479025e6055997..b5852fa4b534d42 100644 --- a/src/content/changelog/access/2026-03-06-independent-mfa.mdx +++ b/src/content/changelog/access/2026-03-06-independent-mfa.mdx @@ -30,4 +30,4 @@ Settings at lower levels (policy) override settings at higher levels (organizati Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `.cloudflareaccess.com/AddMfaDevice`. -To get started with Independent MFA, refer to [Independent MFA](/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa/). +To get started with Independent MFA, refer to [Independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/). From 8ba57943ebb708ed3d67ae54a11e119d8612cd8b Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Fri, 10 Apr 2026 14:16:57 -0400 Subject: [PATCH 13/21] Apply suggestions from code review Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com> --- src/content/changelog/access/2026-03-06-independent-mfa.mdx | 2 +- .../access-controls/access-settings/independent-mfa.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/changelog/access/2026-03-06-independent-mfa.mdx b/src/content/changelog/access/2026-03-06-independent-mfa.mdx index b5852fa4b534d42..0cf8500dc5cb0f7 100644 --- a/src/content/changelog/access/2026-03-06-independent-mfa.mdx +++ b/src/content/changelog/access/2026-03-06-independent-mfa.mdx @@ -12,7 +12,7 @@ Independent MFA supports the following authenticator types: - **Authenticator application** — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy. - **Security key** — Hardware security keys such as YubiKeys. -- **Biometrics** — Built-in device authenticators including macOS Touch ID, Face ID, and Windows Hello. +- **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello. ## Configuration levels diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index d0b16c4ede95b02..37d7a3b9d0e4abf 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -204,7 +204,7 @@ If a user loses access to all of their enrolled authenticators: 1. [Delete](#delete-a-user-authenticator) the user's authenticators. 2. The user can then access a protected application and will be provided a link to enroll a new authenticator. -3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/#/AddMfaDevice`. +3. Alternatively, share the direct enrollment link with the user: `.cloudflareaccess.com/AddMfaDevice`. :::tip To prevent lockouts, users should enroll multiple authenticators (for example, a security key and an authenticator application) when available. From 8cb73c26b5cc852cf40c55ab511da770ee5190d6 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 10 Apr 2026 15:38:34 -0400 Subject: [PATCH 14/21] review feedback --- .../access-settings/independent-mfa.mdx | 27 ++++++++++--------- .../access-settings/session-management.mdx | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index d0b16c4ede95b02..b7673c6c524e7c5 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -17,7 +17,7 @@ Independent multi-factor authentication (MFA) allows you to enforce MFA requirem | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. | | Security key | YubiKeys and hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys. | -| Biometrics | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. | +| Biometrics | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics. | ## Turn on independent MFA @@ -54,8 +54,8 @@ Before you can [enforce independent MFA on applications and policies](/cloudflar mfa_config: { allowed_authenticators: ["totp", "biometrics", "security_key"], session_duration: "24h", - mfa_required_for_all_apps: false, }, + mfa_required_for_all_apps: false, }} /> @@ -94,17 +94,18 @@ Turning off independent MFA removes MFA enforcement from all Cloudflare Access a 2. Send a `PUT` request with an empty `allowed_authenticators` array. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request. - + diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx index 1585e9b73a1b94b..75a9cc960281855 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx @@ -97,7 +97,7 @@ Users who match a policy configured with a _Same as application session timeout_ When [Device authentication identity](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-client-sessions-in-access) is enabled for an Access application, the Cloudflare One Client session duration takes precedence over all other session durations (application, policy, and global). As long as the Cloudflare One Client session is valid and the user is running the Cloudflare One Client, the user will not be prompted to re-authenticate with the IdP — even if the global session has expired. ### MFA session duration -If you use [independent multi-factor authentication (MFA)](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration determines how long a user can log in to Cloudflare Access without being prompted for MFA. The MFA session is independent of the global, policy, and application session durations. When a user logs in to an Access app, Access compares the age of the [`CF_Device` cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cf_device) against the configured MFA duration — if the cookie is older, the user must complete an additional MFA step after authenticating with the IdP. MFA session durations do not affect how long a user has access to the application (that is controlled by the [application token](#session-durations)). +If you use [independent multi-factor authentication (MFA)](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration determines how long a user can log in to Cloudflare Access without being prompted for MFA. The MFA session is independent of the global, policy, and application session durations. When logging in to an Access app with [MFA enabled](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application), users must complete an MFA challenge if their last MFA authentication falls outside the configured session duration. After authenticating with their identity provider, users are prompted for MFA. The [`CF_Device` cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cf_device) ensures both authentication steps occur on the same device. MFA session durations do not affect how long a user has access to the application (that is controlled by the [application token](#session-durations)). ### Order of enforcement From c3ea2892c459f0876de6dd8d2e6c79cf9dda49fe Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 10 Apr 2026 15:40:27 -0400 Subject: [PATCH 15/21] remove extraneous parameter --- .../access-controls/access-settings/independent-mfa.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 6e85af8b8dcc5b9..6a92da2ca442c94 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -103,7 +103,6 @@ Turning off independent MFA removes MFA enforcement from all Cloudflare Access a mfa_config: { allowed_authenticators: [], }, - mfa_required_for_all_apps: false, }} /> From 81b55e21bd0d25637dc6275734ba8f0f7cf484a9 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 15 Apr 2026 18:21:35 -0400 Subject: [PATCH 16/21] review feedback --- .../access-settings/independent-mfa.mdx | 13 +++++++++---- .../access-controls/policies/mfa-requirements.mdx | 4 ++-- src/content/docs/cloudflare-one/faq/general-faq.mdx | 2 +- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 6a92da2ca442c94..7210318cf71ee1a 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -27,7 +27,7 @@ Before you can [enforce independent MFA on applications and policies](/cloudflar 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. 2. Under **Allow multi-factor authentication (MFA)**, select the [MFA methods](#supported-mfa-methods) you want to allow in your organization. -3. Set an **Authentication duration**. This determines how long a user can log in to Access without being prompted for MFA again. If the MFA duration has expired, the user must complete MFA in addition to IdP authentication. +3. Set an **Authentication duration**. This determines how long a user can log in to Access without being prompted for MFA again. If the user does not have an active MFA session for the required authenticator method, they must complete MFA in addition to IdP authentication. 4. (Optional) To apply your MFA methods and authentication duration to all Access applications, select **Apply global MFA settings by default**. You can [override the global MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for individual applications and policies. :::note The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators. @@ -74,13 +74,18 @@ After you turn on independent MFA, users can [enroll authenticators](#enroll-aut ## Turn off independent MFA :::caution -Turning off independent MFA removes MFA enforcement from all Cloudflare Access applications. Verify that your Access policies provide adequate coverage before you turn off this feature. +Turning off independent MFA removes MFA protection on all Access applications. Before turning off independent MFA, verify that your Access policies provide adequate coverage. Remove [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/) from any applications and policis that use it, then turn off independent MFA at the organization level. ::: +To turn off independent MFA for the organization: + 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**. -2. Under **Allow multi-factor authentication (MFA)**, turn off all **MFA methods**. If any applications or policies use [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application), you must remove those custom settings first. +2. Under **Allow multi-factor authentication (MFA)**, turn off **Apply global MFA settings by default**. +3. Turn off all MFA methods (**Biometrics**, **Security key**, and **Authenticator application**). + +If you get an error updating MFA settings, ensure that you have removed custom MFA settings from all applications and policies. @@ -124,7 +129,7 @@ To enroll an authenticator:
1. Select **Authenticator application**. - 2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). + 2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). Alternatively, you can manually enter the setup key into your authenticator app. Use SHA1 as the hash function and set the time-step size to 30 seconds. 3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment. :::note diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index 9b64bbffba15473..b0729b1267e2a11 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -18,7 +18,7 @@ Cloudflare Access supports two methods of enforcing multi-factor authentication ## Identity provider-based MFA -You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key through their IdP. +You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a security key through their IdP. IdP-based MFA enforcement is only available with the following identity providers: @@ -57,7 +57,7 @@ If the user fails to present the required MFA method, Cloudflare Access rejects When users authenticate with their identity provider, the IdP shares their username with Cloudflare Access. Access writes that value into the JSON Web Token (JWT) generated for the user. -Certain identity providers also share the MFA method presented by the user. Access can add these values into the JWT. For example, if the user authenticated with their password and a physical hard key, the IdP can send a confirmation to Cloudflare Access. Access then stores that method in the JWT issued to the user. +Certain identity providers also share the MFA method presented by the user. Access can add these values into the JWT. For example, if the user authenticated with their password and a security key, the IdP can send a confirmation to Cloudflare Access. Access then stores that method in the JWT issued to the user. Cloudflare Access follows [RFC 8176](https://tools.ietf.org/html/rfc8176), Authentication Method Reference Values, to define authentication methods. diff --git a/src/content/docs/cloudflare-one/faq/general-faq.mdx b/src/content/docs/cloudflare-one/faq/general-faq.mdx index fe96aad62e34b8a..97edb5281a2d87a 100644 --- a/src/content/docs/cloudflare-one/faq/general-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/general-faq.mdx @@ -20,7 +20,7 @@ Cloudflare Gateway's DNS resolver introduces security into this flow. Instead of Access supports two methods of enforcing MFA: - **Independent MFA** — Access prompts users for a second factor directly, without relying on your identity provider. You can configure MFA requirements per organization, application, or policy. For more information, refer to [Enforce independent MFA](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa). -- **Identity provider-based MFA** — Access respects the [MFA policies](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) set in your identity provider. For example, if your users logging into an Access protected app through Okta, Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. +- **Identity provider-based MFA** — Access respects the [MFA policies](/cloudflare-one/access-controls/policies/mfa-requirements/#identity-provider-based-mfa) set in your identity provider. For example, if your users are logging into an Access protected app through Okta, Okta would enforce an MFA check before sending the valid authentication confirmation back to Cloudflare Access. ## Which browsers are supported? From 6d2c9e62b9eb849189cf7dc95ae300f1fb66424f Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 15 Apr 2026 18:35:44 -0400 Subject: [PATCH 17/21] new Access app UI --- .../access-controls/policies/mfa-requirements.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx index b0729b1267e2a11..c02a9da1b2b3ba3 100644 --- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx @@ -93,8 +93,8 @@ To configure MFA for an application: 1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Applications**. 2. Find the application you want to configure and select **Configure**. -3. Select the **Login settings** tab. -4. Under **Allow multi-factor authentication (MFA)**, select one of the following options: +3. Scroll down to **Authentication** and select the **MFA**.tab. +4. Select one of the following options: - To inherit the organization setting, select **Respect global enforcement setting**. - To set custom requirements, select **Custom MFA settings**, then configure the [allowed MFA methods](/cloudflare-one/access-controls/access-settings/independent-mfa/#supported-mfa-methods) and [authentication duration](#mfa-session-duration). - To exempt the application from MFA, select **Disable MFA**. From 790546774d96be86bc046aea4a19bfffd0207a53 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 15 Apr 2026 18:53:07 -0400 Subject: [PATCH 18/21] remove MFA from SaaS docs --- .../applications/http-apps/saas-apps/generic-oidc-saas.mdx | 6 ++---- .../applications/http-apps/saas-apps/generic-saml-saas.mdx | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx index 8fa11422e3a9744..eef34bc68194cfc 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx @@ -62,11 +62,9 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro 14. Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://.example-app.com`) but could be a different value. -15. +15. -16. - -17. Select **Save application**. +16. Select **Save application**. ## 3. Configure SSO in your SaaS application diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx index 2b6b34ad78fd47f..6d626f0bd12c377 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx @@ -58,11 +58,9 @@ If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, 14. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. -15. +15. -16. - -17. Select **Save application**. +16. Select **Save application**. ## 3. Configure SSO in your SaaS application From f7f801f79c43900460612d264cba1c9d7b616387 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Wed, 15 Apr 2026 18:58:01 -0400 Subject: [PATCH 19/21] changelog updates --- src/content/changelog/access/2026-03-06-independent-mfa.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content/changelog/access/2026-03-06-independent-mfa.mdx b/src/content/changelog/access/2026-03-06-independent-mfa.mdx index 0cf8500dc5cb0f7..b4564acc7e1c9e5 100644 --- a/src/content/changelog/access/2026-03-06-independent-mfa.mdx +++ b/src/content/changelog/access/2026-03-06-independent-mfa.mdx @@ -1,7 +1,7 @@ --- title: Independent MFA for Access applications description: Enforce multi-factor authentication for Access applications without relying on your identity provider. -date: 2026-03-06 +date: 2026-04-15 products: - access --- @@ -14,6 +14,10 @@ Independent MFA supports the following authenticator types: - **Security key** — Hardware security keys such as YubiKeys. - **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello. +:::note +Infrastructure applications do not yet support independent MFA. +::: + ## Configuration levels You can configure MFA requirements at three levels: From af6802b2592bd9b03e41f6bb27aac9d481e12b8d Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 15 Apr 2026 18:59:58 -0400 Subject: [PATCH 20/21] change changelog date --- ...6-03-06-independent-mfa.mdx => 2026-04-15-independent-mfa.mdx} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/content/changelog/access/{2026-03-06-independent-mfa.mdx => 2026-04-15-independent-mfa.mdx} (100%) diff --git a/src/content/changelog/access/2026-03-06-independent-mfa.mdx b/src/content/changelog/access/2026-04-15-independent-mfa.mdx similarity index 100% rename from src/content/changelog/access/2026-03-06-independent-mfa.mdx rename to src/content/changelog/access/2026-04-15-independent-mfa.mdx From 6cfcd05d5966f2f3ee5eed7a0957c436ce60cb1f Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Wed, 15 Apr 2026 19:11:07 -0400 Subject: [PATCH 21/21] fix typo --- .../access-controls/access-settings/independent-mfa.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx index 7210318cf71ee1a..e200013c74ec372 100644 --- a/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx +++ b/src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx @@ -74,7 +74,7 @@ After you turn on independent MFA, users can [enroll authenticators](#enroll-aut ## Turn off independent MFA :::caution -Turning off independent MFA removes MFA protection on all Access applications. Before turning off independent MFA, verify that your Access policies provide adequate coverage. Remove [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/) from any applications and policis that use it, then turn off independent MFA at the organization level. +Turning off independent MFA removes MFA protection on all Access applications. Before turning off independent MFA, verify that your Access policies provide adequate coverage. Remove [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/) from any applications and policies that use it, then turn off independent MFA at the organization level. ::: To turn off independent MFA for the organization: