2FAA.app

How to Enable 2FA on Cloudflare

Whoever controls your Cloudflare account controls your DNS — which means your email routing, your TLS, and effectively your whole domain. 2FA here protects every site you run, not just one account.

Quick path: dash.cloudflare.com → My Profile → Authentication → Two-Factor Authentication

Step-by-step: 2FA setup on Cloudflare

  1. 1

    Open your Cloudflare profile

    Sign in at https://dash.cloudflare.com, click the profile icon at the top right → 'My Profile'.

  2. 2

    Go to the Authentication tab

    Open the 'Authentication' tab. Under 'Two-Factor Authentication', click 'Enable'. Cloudflare asks you to confirm your password.

  3. 3

    Scan the QR code with 2FAA

    Cloudflare displays a QR code with a manual key option. Open 2FAA, scan it — your 6-digit Cloudflare code appears immediately.

  4. 4

    Verify with the current code

    Enter the active code from 2FAA to confirm. 2FA is now required at every login.

  5. 5

    Download your backup codes

    Cloudflare generates a set of single-use backup codes right after setup. Download and store them offline — you can regenerate the set later from the same Authentication tab.

Generate Cloudflare 2FA codes with 2FAA

You don't need a separate authenticator app. 2FAA is a free, browser-based TOTP generator — your secret never leaves your device, and it works offline as a PWA. The same secret can be used in parallel with Google Authenticator or Authy if you prefer redundancy.

Open 2FAA AuthenticatorImport from Google Authenticator

Frequently asked questions

Why is 2FA especially important on Cloudflare?

DNS control is account takeover at the infrastructure level: an attacker can point your domain at their own servers, intercept email via MX changes, and pass many 'verify by DNS' checks elsewhere. 2FA is the cheapest insurance against all of that.

Does Cloudflare support hardware security keys too?

Yes — you can add FIDO2/WebAuthn keys alongside TOTP in the same Authentication tab. Keep TOTP (2FAA) as the fallback for devices where the key isn't available.

Will 2FA break my API tokens or Wrangler deploys?

No. API tokens and keys authenticate directly and aren't prompted for 2FA. 2FA guards interactive dashboard logins — rotate tokens separately if you suspect a leak.

I lost my authenticator and backup codes — can I recover?

Cloudflare account recovery without any second factor is deliberately strict and slow. Avoid it: export a 2FAA backup or keep the regenerated backup codes somewhere safe.

Other 2FA setup guides

Discord 2FAEpic Games / Fortnite 2FARoblox 2FASpotify 2FAPayPal 2FATwitch 2FA