Cloudflare has recently introduced a new feature which allows for increased security for accounts.

Member based account access

No longer are stakeholders required to share the same single username and password to access a firm’s Cloudflare account. Now each person who needs access can have their own login which can be managed by the account owner. The account manager can revoke a member’s access to the account if desired.

Each individual member is able to utilize 2FA to further secure the account without impeding each other’s ability to access it at any time. Something that was impossible prior to this new feature’s introduction.

Setting up 2FA for Cloudflare

The process is fairly straight forward.

1. Owner invites users to manage the account
   • The account owner sends an invite through the Cloudflare dashboard to the email address of each person that requires access to the account. The email requests the invitee to join the account as an Admin member.
   • Once that’s been done the invitee will receive an email at which will contain a link to a sign up page.
   • The page will prompt the new user to create a password for their new Cloudflare account. This will be an account that only they will have access to and they alone have the password for. There is zero cost for these accounts.

2. Invited users enable 2FA for their account

   • After creating a password for their new account the invitee will then be prompted to set up 2FA. They can use their choice of supported Authentication apps including:

     • Google Authenticator for iOS or Android (Skunkworks' recommended app.)
     • Authy for iOS or Android
     • TOTP
       • via 1Password for iOS or Android
       • via Duo Mobile for iOS or Android

It is critically important to also record the 2FA backup code that is displayed during the 2FA setup process in case the user loses their mobile device.

The account owner’s login requires 2FA to be turned on for their login as well so during the setup process it may be tied to a Skunkworks employee’s phone. At some point this should be switched to require either your I.T. provider’s phone or one of the partners at your firm’s phone.

When 2FA goes wrong.

Lost your phone? AND your backup code?

1. Open a support ticket with Cloudflare.

For the protection and security of your account, we need to be extremely careful before disabling or modifying the 2FA feature on a customer’s account.

“Before we can disable this security feature on an account for you we’re going to need you to confirm:

• The list of domains (1 or more) in your account
• The IP address(es) for the web server(s) associated with each those domain(s) (1 or more)
• Who your hosting provider is for each of those domain(s) (1 or more)
• What your original name servers were for each of those domain(s) (1 or more)
• [Authy only] What phone number you used to activate Authy on your Cloudflare account

Once you’ve provided these details we can then verify that you are the owner of the account.” - Cloudflare Support