Cloudflare Docs
Cloudflare Fundamentals
Edit this page on GitHub
Set theme to dark (⇧+D)

Multi-Factor Email Authentication (MFA)

​​ Overview

Cloudflare uses a Multi-Factor Email Authentication (MFA) method for increased account security. MFA prevents customer account takeovers when attackers gain unauthorized access to an account due to an exposed or easily guessed password.

Cloudflare will challenge any login attempt if the user provides the correct credentials from an unrecognized IP address.

Cloudflare will send an email when your account is logged into from an unknown IP address.

Cloudflare challenges the login by sending a one-time code that expires in 30 minutes to the email that we have on file for the account. Once the correct code is provided through the dashboard, your IP will be recorded and further login attempts from that IP address will not be challenged for 90 days.

When your account is logged into from an unknown IP address, you have to enter an authentication token from an email sent to your email address on file.

By selecting Remember this computer, your device or browser will not receive MFA challenges for up to 14 days. After 14 days, Cloudflare will begin checking the IP address again for login attempts from that device/browser.


​​ Troubleshoot MFA

Cloudflare emails are sometimes flagged as spam by the recipient’s email service. If you are expecting an authentication token, you should check the spam folder for any Cloudflare emails and configure a filter to allow Cloudflare emails from [email protected]_._

Other times, emails are rejected by the recipient email service. Cloudflare will try again it will flag your email address after several attempts and no further emails will be sent.

If you still do not receive an email after ensuring your email service is not flagging Cloudflare, contact Cloudflare Support.