Independent MFA
Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application.
Because you can configure MFA at the application and policy level, you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This allows you to add additional security where it matters most while avoiding MFA fatigue for your broader user population.
| MFA method | Description |
|---|---|
| Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. |
| Security key | Hardware security keys that support the WebAuthn ↗ standard. Users can enroll multiple security keys. |
| Biometrics | Built-in device authenticators that use WebAuthn ↗, including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics. |
| Personal Identity Verification (PIV) key (infrastructure apps only) | YubiKey PIV keys used for public key authentication during SSH connections. Requires YubiKey firmware 4.3 or later. This method is only available for infrastructure applications. Users can enroll multiple PIV keys. |
Before you can enforce independent MFA on applications and policies, you must turn on independent MFA at the organization level.
- In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Access settings.
- Under Allow multi-factor authentication (MFA), select the MFA methods you want to allow in your organization.
- Set an Authentication duration. This determines how long a user can log in to Access without being prompted for MFA again. If the user does not have an active MFA session for the required authenticator method, they must complete MFA in addition to IdP authentication.
- (Optional) To avoid double prompting a user for MFA, you can enable Use identity provider MFA. This will check the AMR value passed from the identity provider at the time of authentication, if that AMR value passes an allowed MFA method, the user will not be prompted for MFA for the duration configured.
- (Optional) To apply your MFA methods and authentication duration to all Access applications, select Apply global MFA settings by default. You can override the global MFA settings for individual applications and policies.
- Select Save.
-
Get your existing Zero Trust organization configuration:
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups RevokeAccess: Organizations, Identity Providers, and Groups WriteAccess: Organizations, Identity Providers, and Groups Read
Get your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -
Send a
PUTrequest to update your organization's MFA settings. To avoid overwriting your existing configuration, thePUTrequest body should contain all fields returned by the previousGETrequest.
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups Write
Update your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request PUT \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"auth_domain": "your-team-name.cloudflareaccess.com","name": "Your Team Name","mfa_config": {"allowed_authenticators": ["totp","biometrics","security_key"],"session_duration": "24h"},"mfa_required_for_all_apps": false}'Set
allowed_authenticatorsto an array containing one or more of:totp— Authenticator application (time-based one-time passwords).biometrics— Biometrics (Touch ID, Face ID, Windows Hello).security_key— Security keys (hardware keys that support WebAuthn).piv_key— PIV keys (YubiKeys).
Set
session_durationto a duration string (for example,30m,1h,24h). To require MFA on every access, use0m.
After you turn on independent MFA, users can enroll authenticators through the App Launcher.
If you plan to use PIV keys for MFA for infrastructure applications, configure the PIV key requirements in your organization's Access settings. These requirements determine which PIV keys users can enroll.
-
In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Access settings.
-
Under Allow multi-factor authentication (MFA), turn on the "Personal Identity Verification (PIV) key" authenticator.
-
Configure the following settings:
Setting Description Options Key type The SSH key algorithm ECDSA, Ed25519, RSA Key size The key length in bits ECDSA: 256, 384, 521. RSA: 2048, 3072, 4096 PIN policy When the user must enter their PIV PIN never,once(once per session),always(every use)Touch policy When the user must touch the hardware key never,always(every use),cached(cached for 15 seconds)Require FIPS Require the PIV key to be on a FIPS-validated device true,false -
Select Save.
An AAGUID ↗ (Authenticator Attestation GUID) is a 128-bit identifier that indicates the make and model of a WebAuthn ↗ authenticator. By restricting enrollment to a specific set of AAGUIDs, you can require that users only enroll approved hardware, such as FIPS-validated security keys or company-issued devices.
AAGUID restrictions apply at enrollment time only. Access verifies the AAGUID when a user registers an authenticator, not when they authenticate. As a result, AAGUID restrictions are configured at the organization level.
AAGUIDs are managed using Lists. Create a list of type AAGUID, then reference the list in your organization's MFA configuration.
- In the Cloudflare dashboard ↗, go to Zero Trust > Resources > Lists.
- Select Create new list.
- Enter a List name (for example,
Approved security keys) and an optional description. - Set List type to MFA AAGUIDs.
- Add one or more AAGUID entries:
- To add predefined AAGUIDs, select authenticators from the Known authenticators list.
- To add a custom AAGUID, fill out the following fields:
- MFA AAGUIDs — The AAGUID of the authenticator, in 32-character hexadecimal format without dashes (for example,
8c39ee867f9a4a959ba3f6b097e5c2ee). - Description — An optional label such as the authenticator's name and model.
- MFA AAGUIDs — The AAGUID of the authenticator, in 32-character hexadecimal format without dashes (for example,
- Select Save.
Send a POST request to create the list:
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "name": "Approved security keys", "description": "AAGUIDs for MFA enrollment", "type": "AAGUID", "items": [ { "value": "8c39ee867f9a4a959ba3f6b097e5c2ee", "description": "YubiKey Bio Series - FIDO Edition (Enterprise Profile)" } ] }'The response contains an id (UUID) for the list. Use this ID when you assign the list to your organization's MFA configuration.
- In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Access settings.
- Under Allow multi-factor authentication (MFA), go to Limit MFA to specific authentication methods.
- Select an existing AAGUID list.
- Select Save.
After you save, only authenticators whose AAGUIDs appear in the list can be enrolled. Users with previously enrolled authenticators outside the list can continue to use them until they are deleted by an administrator.
-
Get your existing Zero Trust organization configuration:
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups RevokeAccess: Organizations, Identity Providers, and Groups WriteAccess: Organizations, Identity Providers, and Groups Read
Get your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -
Send a
PUTrequest to assign the list. To avoid overwriting your existing configuration, thePUTrequest body should contain all fields returned by the previousGETrequest. Setmfa_config.required_aaguidsto the ID of your AAGUID list.
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups Write
Update your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request PUT \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"auth_domain": "your-team-name.cloudflareaccess.com","name": "Your Team Name","mfa_config": {"allowed_authenticators": ["security_key","totp","biometrics"],"session_duration": "24h","required_aaguids": "05ddacda-5131-41ab-9eeb-6763f8dce3be"}}'To remove the restriction, set
required_aaguidstonull.
If your identity provider already prompts users for MFA, you can configure Access to accept that MFA instead of prompting again. Access checks the Authentication Method Reference (AMR) claim returned by the IdP, as defined in RFC 8176 ↗. If the AMR value matches an allowed authenticator type for the application or policy, Access skips the independent MFA prompt.
| AMR value | Matches Access authenticator type | Description |
|---|---|---|
hwk | Security key | Proof-of-possession of a hardware key |
swk | Security key | Proof-of-possession of a software key |
otp | Authenticator application | One-time password |
face | Biometrics | Facial recognition |
fpt | Biometrics | Fingerprint |
iris | Biometrics | Iris scan |
retina | Biometrics | Retina scan |
vbm | Biometrics | Voice biometric |
Access ignores AMR values that do not map to a supported authenticator type (for example, pwd, sms, tel, geo, kba, sc, pin, user, mca, rba, wia).
- In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Access settings.
- Under Allow multi-factor authentication (MFA), turn on Use identity provider MFA.
- Under Authentication Method Reference (AMR) matching duration, set how long a successful IdP MFA remains valid. During this period, users can log in to Access without an additional MFA prompt. You can set a custom duration (default 24 hours) or check for a valid AMR value on every login.
- Select Save.
-
Get your existing Zero Trust organization configuration:
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups RevokeAccess: Organizations, Identity Providers, and Groups WriteAccess: Organizations, Identity Providers, and Groups Read
Get your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -
Send a
PUTrequest to update your organization's AMR matching settings. To avoid overwriting your existing configuration, thePUTrequest body should contain all fields returned by the previousGETrequest.
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups Write
Update your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request PUT \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"auth_domain": "your-team-name.cloudflareaccess.com","name": "Your Team Name","mfa_config": {"allowed_authenticators": ["totp","biometrics","security_key"],"session_duration": "24h","amr_matching_enabled": true,"amr_session_duration": "1h"}}'
Access does not apply AMR matching in the following cases:
- The IdP does not return an
amrclaim. - The IdP returns only AMR values that do not map to an allowed authenticator type for the application or policy.
- The user's AMR matching session has expired because they last performed MFA via their IdP longer ago than the configured AMR matching duration.
In these cases, Access falls back to checking for existing MFA sessions. If there are no valid MFA sessions, Access prompts the user to complete independent MFA.
To turn off independent MFA for the organization:
- In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Access settings.
- Under Allow multi-factor authentication (MFA), turn off Apply global MFA settings by default.
- Turn off all MFA methods (Biometrics, Security key, and Authenticator application).
If you get an error updating MFA settings, ensure that you have removed custom MFA settings from all applications and policies.
-
Get your existing Zero Trust organization configuration:
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups RevokeAccess: Organizations, Identity Providers, and Groups WriteAccess: Organizations, Identity Providers, and Groups Read
Get your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request GET \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -
Send a
PUTrequest with an emptyallowed_authenticatorsarray. To avoid overwriting your existing configuration, thePUTrequest body should contain all fields returned by the previousGETrequest.
At least one of the following token permissions is required:Required API token permissions
Access: Organizations, Identity Providers, and Groups Write
Update your Zero Trust organization curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations" \--request PUT \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"auth_domain": "your-team-name.cloudflareaccess.com","name": "Your Team Name","mfa_config": {"allowed_authenticators": []}}'
Users enroll authenticators through the App Launcher.
If a user already has at least one authenticator enrolled, Access requires them to verify with an existing MFA method before they can add a new authenticator.
To enroll an authenticator:
-
Go to your organization's App Launcher at
<your-team-name>.cloudflareaccess.com. -
Log in with your identity provider or with a one-time PIN (OTP).
-
Go to Account > MFA devices > Add an MFA device.
-
If you already have an MFA device enrolled, complete the MFA verification prompt.
-
Select the authenticator type you want to enroll and follow the on-screen instructions.
Authenticator application
- Select Authenticator application.
- Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). Alternatively, you can manually enter the setup key into your authenticator app. Use SHA1 as the hash function and set the time-step size to 30 seconds.
- Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment.
Security key
- Select Security key.
- When your browser prompts you, insert your security key and follow the on-screen instructions.
- After your browser confirms the registration, the security key is enrolled.
You can enroll multiple security keys for backup purposes.
Biometrics
- Select Biometrics > Register biometrics.
- You will be prompted to enroll with an authenticator type that is available on your device (for example, Add macOS Touch ID or Add Windows Hello).
- After your browser confirms the registration, the platform authenticator is enrolled.
PIV key (infrastructure applications only)
PIV key enrollment requires additional client-side setup and is only used for MFA with infrastructure applications. For full instructions, refer to Enroll a PIV key for infrastructure apps.
You can now use these authenticators to log in to your organization's applications.
PIV key enrollment is separate from the general authenticator enrollment above and requires additional client-side setup.
Before enrolling, you must have a YubiKey with firmware 4.3 or later and a key generated in PIV slot 9a. If you have not generated a PIV key yet, refer to Generate a PIV key.
If you do not already have a PIV key on your YubiKey, generate one in slot 9a:
ykman piv keys generate \ --algorithm ECCP256 \ --pin-policy once \ --touch-policy always \ 9a pubkey.pemTouch your YubiKey when it blinks to confirm key generation. Then create a self-signed certificate to make the key visible to SSH agents:
ykman piv certificates generate --subject "CN=SSH-Identity" 9a pubkey.pemAfter generating the key, generate attestation certificates and continue with enrollment.
Attestation certificates prove that the key was generated on genuine hardware. Run the following commands to export them from your YubiKey:
ykman piv keys attest 9a leaf.pemykman piv certificates export f9 intermediate.pemleaf.pemcontains the public key and metadata for the key in slot9a.intermediate.pemis the YubiKey attestation CA certificate.
- Go to your organization's App Launcher at
<your-team-name>.cloudflareaccess.com. - Log in with an identity provider (IdP), a one-time pin, or with Cloudflare as your IdP.
- Go to Account > MFA devices > Add an MFA device.
- Select PIV key.
- Paste the contents of
leaf.peminto the Leaf certificate field. - Paste the contents of
intermediate.peminto the Intermediate certificate field. - Select Enroll.
Access extracts and stores the SSH public key from your certificate for future authentication to infrastructure apps. You can enroll multiple PIV keys for backup purposes.
After enrollment, configure your SSH client to use the PIV key. The following example uses yubikey-agent on macOS. For Linux, refer to the yubikey-agent documentation ↗.
-
Install and start
yubikey-agent:Terminal window brew install yubikey-agentbrew services start yubikey-agent -
Extract the SSH public key from your leaf certificate:
Terminal window openssl x509 -in leaf.pem -pubkey -noout | ssh-keygen -i -m PKCS8 -f /dev/stdin > ~/.ssh/id_yubikey.pub -
Add the following to your
~/.ssh/config:Host *IdentityAgent /opt/homebrew/var/run/yubikey-agent.sockIdentitiesOnly yesAddKeysToAgent yesIdentityFile ~/.ssh/id_yubikey.pub -
Verify that the key is loaded:
Terminal window ssh-add -LThe output should show an
ecdsa-sha2-nistp256key.
Users can delete their own authenticators from the App Launcher. If the user has at least one authenticator enrolled, Access requires them to verify with an existing MFA method before they can remove a device.
- Go to your organization's App Launcher at
<your-team-name>.cloudflareaccess.com. - Go to Account > MFA devices.
- Select the 3-dot menu next to the MFA device, then select Remove MFA device.
- If you have other MFA devices enrolled, complete the MFA verification prompt.
Administrators can also delete authenticators on behalf of users.
When a user has at least one authenticator enrolled, Access requires MFA verification before the user can add or remove an authenticator from the App Launcher. This verification step is separate from the IdP login and uses the user's existing independent MFA device.
After the user completes MFA verification, they have 10 minutes to add or remove authenticators without additional prompts. This window is tied to the current device. After 10 minutes, or if the user switches to a different device, Access requires MFA verification again.
This prevents an attacker with compromised IdP credentials from modifying a user's enrolled authenticators. Even if an attacker gains access to the user's IdP session, they cannot bypass the independent MFA verification step without also possessing the user's enrolled authenticator. If a user loses their only authenticator and cannot verify, an administrator can delete it to allow re-enrollment. Refer to Manage user authenticators.
Administrators can view and delete authenticators enrolled by users. This is useful for resolving lockouts or responding to security events.
To view a user's enrolled authenticators:
- In the Cloudflare dashboard ↗, go to Zero Trust > Team & Resources > Users.
- Select a user.
- Go to MFA devices. Each entry shows the authenticator's ID, its user-configured name, and the MFA method.
If a user is locked out or you need to revoke an authenticator for security reasons, you can delete it from the dashboard or API.
- In the Cloudflare dashboard ↗, go to Zero Trust > Team & Resources > Users.
- Select the user whose authenticator you want to delete.
- Under MFA devices, find the authenticator and select Delete.
The user will need to enroll a new authenticator the next time they access an application that requires MFA.
Send a DELETE request to remove a specific authenticator:
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/mfa_authenticators/$AUTHENTICATOR_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"Parameters:
user_id— The UUID of the user. You can find this in the user details under Team & Resources > Users.authenticator_id— The unique identifier for the authenticator.
If a user loses access to all of their enrolled authenticators:
- Delete the user's authenticators.
- The user can then access a protected application and will be provided a link to enroll a new authenticator.
- Alternatively, share the direct enrollment link with the user:
<your-team-name>.cloudflareaccess.com/AddMfaDevice.