Cloudflare supports two-factor authentication using standard TOTP protocol. Therefore, Token2 programmable hardware tokens are fully compatible with Cloudflare two-factor authentication system and can be used as an alternative to the mobile authenticator app, or as one of the backup methods.
Please note that starting January 2020, Cloudflare supports FIDO2 (WebAuthn) as the secondary authentication method, which means that our FIDO2 keys
can be used as well. This guide is for TOTP method only
[* Windows version is also available, but this guide will use Android as an example]
- A Cloudflare account with a Super Administrator privilege
- A Token2 programmable token
- An Android device with NFC* - this is needed for the enrollment only, subsequent logins will only require the hardware token
- TOKEN2 NFC Burner app*
To enable two-factor authentication for your Cloudflare login:
- Log in to the Cloudflare dashboard.
- Under the My Profile dropdown, click My Profile.
- Click the Authentication tab.
- Scroll down to the Two-Factor Authentication section and click to toggle it to On
- Once 2FA is set to "On", the following page with a QR code will pop up
- Launch the NFC burner app on your Android device and hit the "QR" button
- Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
- Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
- Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window
- After completing the burning process, turn the token display off and turn it on again
- Enter the code generated by your hardware token to the Cloudflare 2FA popup windows (Field #3, "Enter the code from your authenticator app"), then your account password and click "Next"
- The enrollment is now complete
The Cloudflare dashboard will also generate and display your emergency backup codes. These codes are only displayed once, so be sure to write them down and store them somewhere safe. If your token is ever lost or stolen, you can use these codes to disable two-step authentication on your account. If you lose your codes but still have access to your account, you can generate new backup codes from your two-step authentication settings.