Enforce MFA

Cloudflare Access supports two methods of enforcing multi-factor authentication (MFA):

• Identity provider-based MFA — Require specific MFA methods reported by your identity provider (IdP).
• Independent MFA — Prompt users for a second factor directly in Access, without relying on a third-party identity provider.

Identity provider-based MFA

You can require that users log in with specific MFA methods provided by their identity provider. For example, you can create rules that only allow users to reach a given application if they authenticate with a security key through their IdP.

IdP-based MFA enforcement is only available with the following identity providers:

• Okta
• Microsoft Entra ID (formerly Azure AD)
• Generic OIDC
• Generic SAML 2.0

To enforce an IdP MFA requirement on an application:

1. In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Applications.

2. Find the application for which you want to enforce MFA and select Configure. Alternatively, create a new application.

3. Go to Policies.

4. If your application already has a policy containing an identity requirement, find it and select Configure.

   Note

   The policy should contain an Include rule that uses identity-based selectors. For example, the Include rule could allow users who are part of a rule group, email domain, or identity provider group.

5. Add the following rule to the policy:

   Rule type	Selector	Value
   Require	Authentication method	mfa - multiple-factor authentication

6. Save the policy.

Important

If the user fails to present the required MFA method, Cloudflare Access rejects the user, even if they successfully log in to the identity provider with an alternative method.

Authentication methods in the JWT

When users authenticate with their identity provider, the IdP shares their username with Cloudflare Access. Access writes that value into the JSON Web Token (JWT) generated for the user.

Certain identity providers also share the MFA method presented by the user. Access can add these values into the JWT. For example, if the user authenticated with their password and a security key, the IdP can send a confirmation to Cloudflare Access. Access then stores that method in the JWT issued to the user.

Cloudflare Access follows RFC 8176 ↗, Authentication Method Reference Values, to define authentication methods.

Independent MFA

Independent MFA prompts users for a second factor directly in Access. This allows you to enforce MFA requirements without relying on your IdP's MFA configuration.

You can configure MFA requirements at three levels:

Level	Description
Organization	Enforce MFA by default for all applications in your account.
Application	Require or turn off MFA for a specific application.
Policy	Require or turn off MFA for users who match a specific policy.

Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement.

Prerequisites

Before you configure independent MFA on applications or policies, you must turn on independent MFA at the organization level.

Configure independent MFA for an application

Each application has three MFA options:

Option	Behavior
Respect global enforcement setting	Uses the organization-level MFA configuration. If MFA is required globally, users must complete MFA. If MFA is not required globally, users are not prompted. This is the default.
Custom MFA settings	Overrides the organization setting with application-specific allowed authenticators and session duration.
Disable MFA	Users are not prompted for independent MFA when accessing this application, even if MFA is required globally.

To configure MFA for an application:

1. In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Applications.
2. Find the application you want to configure and select Configure.
3. Scroll down to Authentication and select the MFA.tab.
4. Select one of the following options:
   • To inherit the organization setting, select Respect global enforcement setting.
   • To set custom requirements, select Custom MFA settings, then configure the allowed MFA methods and authentication duration.
   • To exempt the application from MFA, select Disable MFA.
5. Select Save.

Configure independent MFA for a policy

Each policy has the same three MFA options described in Configure independent MFA for an application. Policy-level settings override application-level settings.

1. In the Cloudflare dashboard ↗, go to Zero Trust > Access controls > Policies.
2. Choose an Allow policy and select Configure.
3. Under Multi-factor authentication (MFA), select an option:
   • To inherit the application or organization setting, select Respect global enforcement setting.
   • To set custom requirements for users who match this policy, select Custom MFA settings, then configure the allowed MFA methods and authentication duration.
   • To exempt users who match this policy from MFA, select Disable MFA.
4. Select Save.

MFA session duration

The MFA session duration determines how long a successful MFA authentication remains valid. After the MFA session expires, the user must complete MFA again on their next Cloudflare Access login in addition to completing IdP authentication. You can require users to complete MFA on each Access login or set a custom duration. MFA session durations are only checked during the login flow and do not affect a user's existing session.

Access checks MFA sessions from most specific to least specific:

1. Policy MFA session duration — If set, applies to users who match the policy.
2. Application MFA session duration — If set, applies to all users accessing the application.
3. Global MFA session duration — The default for all applications that do not specify their own duration.

Precedence example

Consider the following configuration:

flowchart TD
    subgraph org["Organization"]
        orgSettings["**Apply global MFA settings by default**, <br/>**MFA methods**: Authenticator app + Security key, <br/>**Authentication duration**: 24 hours"]
    end

    subgraph appA["Application A"]
        appASettings["**Respect global enforcement setting**<br/>(inherits organization settings)"]
        subgraph policies["Policies"]
            policy1["Policy 1<br/>**Custom MFA settings**,<br/>**MFA methods**: Security keys only,<br/>**Authentication duration**: 1 hour"]
            policy2["Policy 2<br/>**Disable MFA**"]
        end
    end

    subgraph appB["Application B"]
        appBSettings["**Disable MFA**"]
    end

    orgSettings --> appASettings
    orgSettings -.->|"overridden"| appBSettings
    appASettings -.->|"overridden by"| policy1
    appASettings -.->|"overridden by"| policy2

In this example:

• Users who access Application A and match Policy 1 must use a security key and re-authenticate every hour.
• Users who access Application A and match Policy 2 are not prompted for MFA.
• Users who access Application A and match neither policy must use an authenticator application or a security key, with a 24-hour session.
• Users who access Application B are not prompted for MFA.