From 2697769dba13047601fbaadfbe078e097fd7ac62 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Tue, 28 Oct 2025 15:11:57 -0700 Subject: [PATCH 1/9] Create 2025-10-30-email-2FA.mdx --- .../fundamentals/2025-10-30-email-2FA.mdx | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx new file mode 100644 index 000000000000000..6e71adf60f264c3 --- /dev/null +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -0,0 +1,23 @@ +--- +title: Introducing email two-factor authentication +description: Cloudflare now offers email two-factor authentication to protect your account +date: 2025-10-30 +--- + +Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (eg Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. + +Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. Cloudflare will now prompt you during the login flow to enable email 2FA to better protect your account, and avoid getting locked out in the future. + +## Sign-in security best practices + +Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account. + +- Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords. +- Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked +- Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home. +- If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone. +- If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). +- If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. +- If you manage a Cloudflare account for work: + - Have at least two administrators in case one of them unexpectedly leaves your company + - Use SCIM to automate permissions management for members in your Cloudflare account From b347ec2e6e410cfeb6e3a7f9e32e82b899d7e8cf Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 29 Oct 2025 17:25:26 -0700 Subject: [PATCH 2/9] Update 2025-10-30-email-2FA.mdx --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 6e71adf60f264c3..7dfc413ffc71745 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -6,7 +6,7 @@ date: 2025-10-30 Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (eg Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. -Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. Cloudflare will now prompt you during the login flow to enable email 2FA to better protect your account, and avoid getting locked out in the future. +Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. You can now enable email 2FA by going to your user profile (the person icon in the top corner of the Dashboard), then **Authentication**, and then under Two-Factor Authentication click **Set up**. ## Sign-in security best practices From df472d48442cd43b44222f30e4443bae2f3bbc6f Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:04:45 -0700 Subject: [PATCH 3/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 7dfc413ffc71745..91a7f5ee17f3162 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -4,7 +4,7 @@ description: Cloudflare now offers email two-factor authentication to protect yo date: 2025-10-30 --- -Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (eg Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. +Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. You can now enable email 2FA by going to your user profile (the person icon in the top corner of the Dashboard), then **Authentication**, and then under Two-Factor Authentication click **Set up**. From ab83dab42adddcf9011cc9199ca870f9064f7e24 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:05:01 -0700 Subject: [PATCH 4/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- .../changelog/fundamentals/2025-10-30-email-2FA.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 91a7f5ee17f3162..ba5a550eb52fcb7 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -6,7 +6,13 @@ date: 2025-10-30 Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. -Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. You can now enable email 2FA by going to your user profile (the person icon in the top corner of the Dashboard), then **Authentication**, and then under Two-Factor Authentication click **Set up**. +Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. + +You can now enable email 2FA on the Cloudflare dashboard: + +1. Go to **Profile** at the top right corner. +2. Select **Authentication**. +3. Under **Two-Factor Authentication**, select **Set up**. ## Sign-in security best practices From afbec50ac8ced567e6a1be1d324222a6992675fa Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:05:12 -0700 Subject: [PATCH 5/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index ba5a550eb52fcb7..3b0596c91473063 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -16,7 +16,7 @@ You can now enable email 2FA on the Cloudflare dashboard: ## Sign-in security best practices -Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account. +Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account: - Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords. - Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked From 423f561d0f359fb22f31f7948c6cd957bcf50af3 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:05:24 -0700 Subject: [PATCH 6/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 3b0596c91473063..3f61d4128c2a76c 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -19,7 +19,7 @@ You can now enable email 2FA on the Cloudflare dashboard: Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account: - Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords. -- Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked +- Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked. - Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home. - If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone. - If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). From 38178827a74945180b0fd0b352949d53883edddd Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:05:34 -0700 Subject: [PATCH 7/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 3f61d4128c2a76c..583bfbceaa0243b 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -22,7 +22,7 @@ Cloudflare is critical infrastructure, and you should protect it as such. Review - Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked. - Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home. - If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone. -- If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). +- If you use a custom email domain to sign in, [configure SSO](/fundamentals/manage-members/dashboard-sso/). - If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. - If you manage a Cloudflare account for work: - Have at least two administrators in case one of them unexpectedly leaves your company From e8fb3f648dd8a9168d03ce8d8e63bd6e3fbfeda7 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:05:52 -0700 Subject: [PATCH 8/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 583bfbceaa0243b..8612575b819220c 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -25,5 +25,5 @@ Cloudflare is critical infrastructure, and you should protect it as such. Review - If you use a custom email domain to sign in, [configure SSO](/fundamentals/manage-members/dashboard-sso/). - If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. - If you manage a Cloudflare account for work: - - Have at least two administrators in case one of them unexpectedly leaves your company + - Have at least two administrators in case one of them unexpectedly leaves your company. - Use SCIM to automate permissions management for members in your Cloudflare account From e1d31ecb097e180279e7502bc28ae979bbf6c162 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Thu, 30 Oct 2025 08:06:00 -0700 Subject: [PATCH 9/9] Update src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx Co-authored-by: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> --- src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx index 8612575b819220c..206794e93f44faa 100644 --- a/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx +++ b/src/content/changelog/fundamentals/2025-10-30-email-2FA.mdx @@ -26,4 +26,4 @@ Cloudflare is critical infrastructure, and you should protect it as such. Review - If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. - If you manage a Cloudflare account for work: - Have at least two administrators in case one of them unexpectedly leaves your company. - - Use SCIM to automate permissions management for members in your Cloudflare account + - Use SCIM to automate permissions management for members in your Cloudflare account.