Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Independent MFA

Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application.

Because you can configure MFA at the application and policy level, you can enforce stricter authentication methods like hardware security keys on sensitive applications without requiring them across your entire organization. This allows you to add additional security where it matters most while avoiding MFA fatigue for your broader user population.

Supported MFA methods

MFA methodDescription
Authenticator applicationTime-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time.
Security keyYubiKeys and hardware security keys that support the WebAuthn standard. Users can enroll multiple security keys.
BiometricsBuilt-in device authenticators that use WebAuthn, including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics.

Turn on independent MFA

Before you can enforce independent MFA on applications and policies, you must turn on independent MFA at the organization level.

  1. In the Cloudflare dashboard, go to Zero Trust > Access controls > Access settings.
  2. Under Allow multi-factor authentication (MFA), select the MFA methods you want to allow in your organization.
  3. Set an Authentication duration. This determines how long a user can log in to Access without being prompted for MFA again. If the user does not have an active MFA session for the required authenticator method, they must complete MFA in addition to IdP authentication.
  4. (Optional) To avoid double prompting a user for MFA, you can enable Use identity provider MFA. This will check the AMR value passed from the identity provider at the time of authentication, if that AMR value passes an allowed MFA method, the user will not be prompted for MFA for the duration configured.
  5. (Optional) To apply your MFA methods and authentication duration to all Access applications, select Apply global MFA settings by default. You can override the global MFA settings for individual applications and policies.
  6. Select Save.

After you turn on independent MFA, users can enroll authenticators through the App Launcher.

Restrict authenticators by AAGUID

An AAGUID (Authenticator Attestation GUID) is a 128-bit identifier that indicates the make and model of a WebAuthn authenticator. By restricting enrollment to a specific set of AAGUIDs, you can require that users only enroll approved hardware, such as FIPS-validated security keys or company-issued devices.

AAGUID restrictions apply at enrollment time only. Access verifies the AAGUID when a user registers an authenticator, not when they authenticate. As a result, AAGUID restrictions are configured at the organization level.

1. Create an AAGUID list

AAGUIDs are managed using Lists. Create a list of type AAGUID, then reference the list in your organization's MFA configuration.

  1. In the Cloudflare dashboard, go to Zero Trust > Resources > Lists.
  2. Select Create new list.
  3. Enter a List name (for example, Approved security keys) and an optional description.
  4. Set List type to MFA AAGUIDs.
  5. Add one or more AAGUID entries:
    • To add predefined AAGUIDs, select authenticators from the Known authenticators list.
    • To add a custom AAGUID, fill out the following fields:
      • MFA AAGUIDs — The AAGUID of the authenticator, in 32-character hexadecimal format without dashes (for example, 8c39ee867f9a4a959ba3f6b097e5c2ee).
      • Description — An optional label such as the authenticator's name and model.
  6. Select Save.

2. Assign an AAGUID list to your organization

  1. In the Cloudflare dashboard, go to Zero Trust > Access controls > Access settings.
  2. Under Allow multi-factor authentication (MFA), go to Limit MFA to specific authentication methods.
  3. Select an existing AAGUID list.
  4. Select Save.

After you save, only authenticators whose AAGUIDs appear in the list can be enrolled. Users with previously enrolled authenticators outside the list can continue to use them until they are deleted by an administrator.

Use identity provider MFA

If your identity provider already prompts users for MFA, you can configure Access to accept that MFA instead of prompting again. Access checks the Authentication Method Reference (AMR) claim returned by the IdP, as defined in RFC 8176. If the AMR value matches an allowed authenticator type for the application or policy, Access skips the independent MFA prompt.

Supported AMR values

AMR valueMatches Access authenticator typeDescription
hwkSecurity keyProof-of-possession of a hardware key
swkSecurity keyProof-of-possession of a software key
otpAuthenticator applicationOne-time password
faceBiometricsFacial recognition
fptBiometricsFingerprint
irisBiometricsIris scan
retinaBiometricsRetina scan
vbmBiometricsVoice biometric

Access ignores AMR values that do not map to a supported authenticator type (for example, pwd, sms, tel, geo, kba, sc, pin, user, mca, rba, wia).

Turn on AMR matching

  1. In the Cloudflare dashboard, go to Zero Trust > Access controls > Access settings.
  2. Under Allow multi-factor authentication (MFA), turn on Use identity provider MFA.
  3. Under Authentication Method Reference (AMR) matching duration, set how long a successful IdP MFA remains valid. During this period, users can log in to Access without an additional MFA prompt. You can set a custom duration (default 24 hours) or check for a valid AMR value on every login.
  4. Select Save.

When AMR matching is skipped

Access does not apply AMR matching in the following cases:

  • AAGUID requirements are turned on at the organization level. AAGUID information is not present in the IdP's AMR claim, so Access cannot verify that the IdP's MFA came from an approved device.
  • The IdP does not return an amr claim.
  • The IdP returns only AMR values that do not map to an allowed authenticator type for the application or policy.
  • The user's AMR matching session has expired because they last performed MFA via their IdP longer ago than the configured AMR matching duration.

In these cases, Access falls back to checking for existing MFA sessions. If there are no valid MFA sessions, Access prompts the user to complete independent MFA.

Turn off independent MFA

To turn off independent MFA for the organization:

  1. In the Cloudflare dashboard, go to Zero Trust > Access controls > Access settings.
  2. Under Allow multi-factor authentication (MFA), turn off Apply global MFA settings by default.
  3. Turn off all MFA methods (Biometrics, Security key, and Authenticator application).

If you get an error updating MFA settings, ensure that you have removed custom MFA settings from all applications and policies.

Enroll authenticators

Users enroll authenticators through the App Launcher.

If a user already has at least one authenticator enrolled, Access requires them to verify with an existing MFA method before they can add a new authenticator.

To enroll an authenticator:

  1. Go to your organization's App Launcher at <your-team-name>.cloudflareaccess.com.

  2. Log in with your identity provider or with a one-time PIN (OTP).

  3. Go to Account > MFA devices > Add an MFA device.

  4. If you already have an MFA device enrolled, complete the MFA verification prompt.

  5. Select the authenticator type you want to enroll and follow the on-screen instructions.

    Authenticator application
    1. Select Authenticator application.
    2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). Alternatively, you can manually enter the setup key into your authenticator app. Use SHA1 as the hash function and set the time-step size to 30 seconds.
    3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment.

    Security key
    1. Select Security key.
    2. When your browser prompts you, insert your security key and follow the on-screen instructions.
    3. After your browser confirms the registration, the security key is enrolled.

    You can enroll multiple security keys for backup purposes.

    Biometrics
    1. Select Biometrics > Register biometrics.
    2. You will be prompted to enroll with an authenticator type that is available on your device (for example, Add macOS Touch ID or Add Windows Hello).
    3. After your browser confirms the registration, the platform authenticator is enrolled.

You can now use these authenticators to log in to your organization's applications.

Delete an authenticator

Users can delete their own authenticators from the App Launcher. If the user has at least one authenticator enrolled, Access requires them to verify with an existing MFA method before they can remove a device.

  1. Go to your organization's App Launcher at <your-team-name>.cloudflareaccess.com.
  2. Go to Account > MFA devices.
  3. Select the 3-dot menu next to the MFA device, then select Remove MFA device.
  4. If you have other MFA devices enrolled, complete the MFA verification prompt.

Administrators can also delete authenticators on behalf of users.

MFA verification for authenticator changes

When a user has at least one authenticator enrolled, Access requires MFA verification before the user can add or remove an authenticator from the App Launcher. This verification step is separate from the IdP login and uses the user's existing independent MFA device.

After the user completes MFA verification, they have 10 minutes to add or remove authenticators without additional prompts. This window is tied to the current device. After 10 minutes, or if the user switches to a different device, Access requires MFA verification again.

This prevents an attacker with compromised IdP credentials from modifying a user's enrolled authenticators. Even if an attacker gains access to the user's IdP session, they cannot bypass the independent MFA verification step without also possessing the user's enrolled authenticator. If a user loses their only authenticator and cannot verify, an administrator can delete it to allow re-enrollment. Refer to Manage user authenticators.

Manage user authenticators

Administrators can view and delete authenticators enrolled by users. This is useful for resolving lockouts or responding to security events.

View user authenticators

To view a user's enrolled authenticators:

  1. In the Cloudflare dashboard, go to Zero Trust > Team & Resources > Users.
  2. Select a user.
  3. Go to MFA devices. Each entry shows the authenticator's ID, its user-configured name, and the MFA method.

Delete a user authenticator

If a user is locked out or you need to revoke an authenticator for security reasons, you can delete it from the dashboard or API.

  1. In the Cloudflare dashboard, go to Zero Trust > Team & Resources > Users.
  2. Select the user whose authenticator you want to delete.
  3. Under MFA devices, find the authenticator and select Delete.

The user will need to enroll a new authenticator the next time they access an application that requires MFA.

Lockout recovery

If a user loses access to all of their enrolled authenticators:

  1. Delete the user's authenticators.
  2. The user can then access a protected application and will be provided a link to enroll a new authenticator.
  3. Alternatively, share the direct enrollment link with the user: <your-team-name>.cloudflareaccess.com/AddMfaDevice.