Hardware token for Cloudflare two-factor authentication


Cloudflare supports two-factor authentication using standard TOTP protocol. Therefore, Token2 programmable hardware tokens are fully compatible with Cloudflare two-factor authentication system and can be used as an alternative to the mobile authenticator app, or as one of the backup methods.

Please note that starting January 2020, Cloudflare supports FIDO2 (WebAuthn) as the secondary authentication method, which means that our FIDO2 keys can be used as well. This guide is for TOTP method only

Requirements

  • A Cloudflare account with a Super Administrator privilege
  • A Token2 programmable token 
  • An Android device with NFC*  - this is needed for the enrollment only, subsequent logins will only require the hardware token
  • TOKEN2 NFC Burner app*  
[* Windows version is also available, but this guide will use Android as an example]


To enable two-factor authentication for your Cloudflare login:

  • Log in to the Cloudflare dashboard.
  • Under the My Profile dropdown, click My Profile.
  • Click the Authentication tab. 
  • Scroll down to the Two-Factor Authentication section and click to toggle it to On

    Hardware token for Cloudflare two-factor authentication

  • Once 2FA is set to "On", the following page with a QR code will pop up
  • Launch the NFC burner app on your Android device and hit the "QR" button
  • Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
  • Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
  • Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window


  • After completing the burning process, turn the token display off and turn it on again
  • Enter the code generated by your hardware token to the Cloudflare 2FA popup windows (Field #3, "Enter the code from your authenticator app"), then your account password and click "Next"
    Hardware token for Cloudflare two-factor authentication

  • The enrollment is now complete