cloudflare · asamborski · Feb 20, 2026 · Feb 20, 2026 · Feb 27, 2026 · Feb 28, 2026
@@ -17,7 +17,7 @@ Independent MFA supports the following authenticator types:
 - **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello.
 
 :::note
-Infrastructure applications do not yet support independent MFA.
+Infrastructure applications support MFA with YubiKey PIV keys for SSH connections. For more information, refer to [MFA for SSH with PIV keys](/cloudflare-one/access-controls/policies/mfa-requirements/#infrastructure-applications).
 :::
 
 ## Configuration levels

@@ -0,0 +1,19 @@
+---
+title: Independent MFA for infrastructure applications
+description: Add hardware-backed multi-factor authentication to SSH connections through Access for Infrastructure.
+date: 2026-05-15
+products:
+  - access
+---
+
+[Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) now supports independent multi-factor authentication (MFA) for SSH connections using YubiKey PIV keys. This adds a hardware-backed second factor to SSH access, ensuring that a compromised device session alone is not sufficient to reach your servers.
+
+With per-application and per-policy configuration, you can enforce PIV key authentication for sensitive usernames (for example, `root`) while applying different requirements for other usernames. You can also set an MFA session duration to control how often users must re-authenticate.
+
+## Enrollment
+
+Users enroll their YubiKey PIV key through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). For enrollment instructions and SSH client setup, refer to [Enroll a PIV key for infrastructure apps](/cloudflare-one/access-controls/access-settings/independent-mfa/#enroll-a-piv-key-for-infrastructure-apps).
+
+## Configuration
+
+For setup instructions, refer to [Enforce MFA for infrastructure applications](/cloudflare-one/access-controls/policies/mfa-requirements/#infrastructure-applications).
@@ -10,19 +10,20 @@ tags:
   - Authentication
 ---
 
-import { Tabs, TabItem, APIRequest, Details } from "~/components";
+import { Tabs, TabItem, APIRequest, Details, Render } from "~/components";
 
 Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application.
 
 Because you can [configure MFA at the application and policy level](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa), you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This allows you to add additional security where it matters most while avoiding MFA fatigue for your broader user population.
 
 ## Supported MFA methods
 
-| MFA method                | Description                                                                                                                                                                              |
-| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time.       |
-| Security key              | YubiKeys and hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys.                                    |
-| Biometrics                | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics. |
+| MFA method                         | Description                                                                                                                                                                                                                                                                                                 |
+| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Authenticator application          | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time.                                                                                                                          |
+| Security key                       | YubiKeys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys.                                                                                                                                                                                  |
+| Biometrics                         | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics.                                                                                                                    |
+| PIV key (infrastructure apps only) | YubiKey PIV keys used for public key authentication during SSH connections. Requires YubiKey firmware 4.3 or later. This method is only available for [infrastructure applications](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). Users can enroll multiple PIV keys. |
 
 ## Turn on independent MFA
 
@@ -79,6 +80,29 @@ Before you can [enforce independent MFA on applications and policies](/cloudflar
 
 After you turn on independent MFA, users can [enroll authenticators](#enroll-authenticators) through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/).
 
+### Configure PIV key requirements
+
+If you plan to use PIV keys for [MFA for infrastructure applications](/cloudflare-one/access-controls/policies/mfa-requirements/#infrastructure-applications), configure the PIV key requirements in your organization's Access settings. These requirements determine which PIV keys users can enroll.
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**.
+2. Under **Allow multi-factor authentication (MFA)**, turn on the PIV key authenticator.
+3. Configure the following settings:
+
+   | Setting          | Description                               | Options                                                         |
+   | ---------------- | ----------------------------------------- | --------------------------------------------------------------- |
+   | **Key type**     | The SSH key algorithm                     | ECDSA, Ed25519, RSA                                             |
+   | **Key size**     | The key length in bits                    | ECDSA: 256, 384, 521. RSA: 2048, 3072, 4096                     |
+   | **PIN policy**   | When the user must enter their PIV PIN    | `never`, `once` (once per session), `always` (every use)        |
+   | **Touch policy** | When the user must touch the hardware key | `never`, `always` (every use), `cached` (cached for 15 seconds) |
+
+4. Select **Save**.
+
+Enrolled PIV keys that do not meet these requirements are rejected during SSH authentication.
+
+:::note
+<Render file="access/piv-key-global-settings-warning" product="cloudflare-one" />
+:::
+
 ## Restrict authenticators by AAGUID
 
 An [AAGUID](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#authenticator-attestation-guid) (Authenticator Attestation GUID) is a 128-bit identifier that indicates the make and model of a [WebAuthn](https://www.w3.org/TR/webauthn-2/) authenticator. By restricting enrollment to a specific set of AAGUIDs, you can require that users only enroll approved hardware, such as FIPS-validated security keys or company-issued devices.
@@ -196,8 +220,8 @@ If your identity provider already prompts users for MFA, you can configure Acces
 
 ### Supported AMR values
 
-| AMR value | Matches Access authenticator type | Description                            |
-| --------- | --------------------------------- | -------------------------------------- |
+| AMR value | Matches Access authenticator type | Description                           |
+| --------- | --------------------------------- | ------------------------------------- |
 | `hwk`     | Security key                      | Proof-of-possession of a hardware key |
 | `swk`     | Security key                      | Proof-of-possession of a software key |
 | `otp`     | Authenticator application         | One-time password                     |
@@ -339,8 +363,13 @@ To enroll an authenticator:
         </Details>
 
         <Details header="Security key">
+
+        :::note
+        Access currently supports YubiKeys as the only hardware security key.
+        :::
+
         1. Select **Security key**.
-        2. When your browser prompts you, insert your security key and follow the on-screen instructions.
+        2. When your browser prompts you, insert your YubiKey and follow the on-screen instructions.
         3. After your browser confirms the registration, the security key is enrolled.
 
         You can enroll multiple security keys for backup purposes.
@@ -354,8 +383,97 @@ To enroll an authenticator:
 
         </Details>
 
+        <Details header="PIV key (infrastructure applications only)">
+        PIV key enrollment requires additional client-side setup and is only used for [MFA with infrastructure applications](/cloudflare-one/access-controls/policies/mfa-requirements/#infrastructure-applications). For full instructions, refer to [Enroll a PIV key for infrastructure apps](#enroll-a-piv-key-for-infrastructure-apps).
+        </Details>
+
 You can now use these authenticators to log in to your organization's applications.
 
+### Enroll a PIV key for infrastructure apps
+
+PIV key enrollment is separate from the general authenticator enrollment above and requires additional client-side setup.
+
+Before enrolling, you must have a YubiKey with firmware 4.3 or later and a key generated in PIV slot `9a`. If you have not generated a PIV key yet, refer to [Generate a PIV key](#generate-a-piv-key).
+
+#### Generate attestation certificates
+
+Attestation certificates prove that the key was generated on genuine hardware. Run the following commands to export them from your YubiKey:
+
+```bash
+ykman piv keys attest 9a leaf.pem
+ykman piv certificates export f9 intermediate.pem
+```
+
+- `leaf.pem` contains the public key and metadata for the key in slot `9a`.
+- `intermediate.pem` is the YubiKey attestation CA certificate.
+
+#### Upload certificates to Cloudflare
+
+1. Go to your organization's App Launcher at `<your-team-name>.cloudflareaccess.com`.
+2. Log in with your identity provider or with a one-time PIN (OTP).
+3. Go to **Account** > **MFA devices** > **Add an MFA device**.
+4. Select **MFA PIV Key**.
+5. Paste the contents of `leaf.pem` into the **Leaf certificate** field.
+6. Paste the contents of `intermediate.pem` into the **Intermediate certificate** field.
+7. Select **Enroll**.
+
+Access extracts and stores the SSH public key from your certificate for future authentication to infrastructure apps. You can enroll multiple PIV keys for backup purposes.
+
+#### Configure your SSH client
+
+After enrollment, configure your SSH client to use the PIV key. The following example uses `yubikey-agent` on macOS. For Linux, refer to the [yubikey-agent documentation](https://github.com/nicholasgasior/yubikey-agent).
+
+1. Install and start `yubikey-agent`:
+
+   ```bash
+   brew install yubikey-agent
+   brew services start yubikey-agent
+   ```
+
+2. Extract the SSH public key from your leaf certificate:
+
+   ```bash
+   openssl x509 -in leaf.pem -pubkey -noout | ssh-keygen -i -m PKCS8 -f /dev/stdin > ~/.ssh/id_yubikey.pub
+   ```
+
+3. Add the following to your `~/.ssh/config`:
+
+   ```txt
+   Host *
+     IdentityAgent /opt/homebrew/var/run/yubikey-agent.sock
+     IdentitiesOnly yes
+     AddKeysToAgent yes
+     IdentityFile ~/.ssh/id_yubikey.pub
+   ```
+
+4. Verify that the key is loaded:
+
+   ```sh
+   ssh-add -L
+   ```
+
+   The output should show an `ecdsa-sha2-nistp256` key.
+
+#### Generate a PIV key
+
+If you do not already have a PIV key on your YubiKey, generate one in slot `9a`:
+
+```bash
+ykman piv keys generate \
+  --algorithm ECCP256 \
+  --pin-policy ONCE \
+  --touch-policy ALWAYS \
+  9a pubkey.pem
+```
+
+Touch your YubiKey when it blinks to confirm key generation. Then create a self-signed certificate to make the key visible to SSH agents:
+
+```bash
+ykman piv certificates generate --subject "CN=SSH-Identity" 9a pubkey.pem
+```
+
+After generating the key, [generate attestation certificates](#generate-attestation-certificates) and continue with enrollment.
+
 ### Delete an authenticator
 
 Users can delete their own authenticators from the App Launcher. If the user has at least one authenticator enrolled, Access requires them to [verify with an existing MFA method](#mfa-verification-for-authenticator-changes) before they can remove a device.

@@ -7,17 +7,17 @@ title: Add an infrastructure application
 sidebar:
   order: 2
 tags:
-- SSH
-- Authentication
+  - SSH
+  - Authentication
 ---
 
 import { Badge, Details, Tabs, TabItem, Render } from "~/components";
 
 <Details header="Feature availability">
 
 | [Client modes](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
-| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
-| <ul><li> Traffic and DNS mode</li><li> Traffic only mode </li></ul>  | All plans                                                     |
+| ------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| <ul><li> Traffic and DNS mode</li><li> Traffic only mode </li></ul>                               | All plans                                                     |
 
 | System   | Availability |
 | -------- | ------------ |
@@ -33,7 +33,7 @@ import { Badge, Details, Tabs, TabItem, Render } from "~/components";
 Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
 
 :::note
-Access for Infrastructure currently only supports [SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](/cloudflare-one/access-controls/applications/non-http/browser-rendering/).
+Access for Infrastructure currently supports [SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](/cloudflare-one/access-controls/applications/non-http/browser-rendering/).
 :::
 
 ## Prerequisites
@@ -61,13 +61,19 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/networks
 	params={{ selector: "Access Infrastructure Target", protocol: "infra" }}
 />
 
-## 4. Configure the server
+## 4. (Optional) Require independent MFA
+
+You can require users to authenticate with a [YubiKey PIV key](/cloudflare-one/access-controls/access-settings/independent-mfa/#enroll-a-piv-key-for-infrastructure-apps) before connecting with SSH to targets. MFA can be configured at the application level or at the policy level, allowing you to enforce stricter requirements for sensitive usernames.
+
+For setup instructions, refer to [Enforce MFA for infrastructure applications](/cloudflare-one/access-controls/policies/mfa-requirements/#infrastructure-applications).
+
+## 5. Configure the server
 
 Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
 
-- [SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#6-configure-ssh-server)
+- [SSH](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)
 
-## 5. Connect as a user
+## 6. Connect as a user
 
 Users connect to the target's IP address using their preferred client software. The user must be logged into the Cloudflare One Client on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/traffic-policies/resolver-policies/) to allow connections to the target's private hostname.
 
@@ -84,13 +90,13 @@ If a user is connected to a target in VNET-A and needs to connect to a target in
 <Details header="Feature availability">
 
 | System   | Availability | Minimum client version |
-| -------- | ------------ | -------------------- |
-| Windows  | ✅           | 2024.9.346.0         |
-| macOS    | ✅           | 2024.9.346.0         |
-| Linux    | ✅           | 2024.9.346.0         |
-| iOS      | ❌           |                      |
-| Android  | ❌           |                      |
-| ChromeOS | ❌           |                      |
+| -------- | ------------ | ---------------------- |
+| Windows  | ✅           | 2024.9.346.0           |
+| macOS    | ✅           | 2024.9.346.0           |
+| Linux    | ✅           | 2024.9.346.0           |
+| iOS      | ❌           |                        |
+| Android  | ❌           |                        |
+| ChromeOS | ❌           |                        |
 
 </Details>