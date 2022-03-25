Enforce MFA

With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key.

This feature is only available if you are using the following identity providers:

Okta

Azure AD

OpenID Connect (OIDC)

To enforce an MFA requirement to an application:

On the Zero Trust dashboard, navigate to Access > Applications. Find the application for which you want to enforce MFA and click Edit. Alternatively, create a new application . Navigate to the Rules section of the application. If your application already has a rule containing an identity requirement, find it and click Edit.

The rule must contain an Include rule which defines an identity. For example, the Include rule should allow for users who are part of a user group , email domain, or identity provider group.

Add a Require action to the rule. Select Authentication Method and choose mfa - multiple-factor authentication .

Save the rule.

Important What happens if the user fails to present the required MFA method? Cloudflare Access will reject the user, even if they successfully login to the identity provider with an alternative method.

​​ Adding authentication methods into the JWT

When users authenticate with their identity provider, the identity provider then shares their username with Cloudflare Access. Cloudflare Access then writes that value into the JSON Web Token (JWT) generated for the user.

Certain identity providers can also share the multifactor authentication (MFA) method presented by the user to login. Cloudflare Access can add these values into the JWT and force. For example, if the user authenticated with their password and a physical hard key, the identity provider can send a confirmation to Cloudflare Access.

Cloudflare Access then stores that method into the same JWT issued to the user.