2FA Remember Me

Because of the 2FA on my Cloudflare account, I have to enter a code every day, I used to have the “remember me on this device” option so we didn’t have to enter any more codes.
I don’t know why this option was removed, but it’s a very bad innovation. I’m tired of getting codes on my phone every day. If there is a developer team that cares about the community, please take this innovation back. You are cooling from the 2FA option under the name of “extra security” by adding extra difficulty where you need to encourage people to protect their accounts.
When I did not log in from a secure computer, I was already logging in without checking the “remember me” box, this option was always active in my secure personal system. Now I’ll remove the double protection from my account in a moment because I’m tired of constantly entering codes.

If anyone can post this post as a feedback, I would like to ask them to do so please. You can see that my English is not good, I am not familiar with the forum, and I cannot find the place where I previously texted the support team. For this reason, I wrote this article on the forum, but when I saw that some users also had problems due to this problem, I opened this topic with peace of mind.

1 Like

Well, some people use for example YubiKey security keys for 2FA. And have a backup e-mail or a phone method.

Could it be because when you close your Web browser, it deletes your cookies as well?

It’s not. It’s started happening to me too within the past few months. Doesn’t seem 2FA is really remembered anymore. :pensive:

Other sites work fine.

1 Like

Same here, the remember me option disappeared completely.
I am this close to disabling 2FA altogether, so annoying…

1 Like

Hi @fastgoldfan, @GI-Eaton , @lordapofr,

This post explains why the option was removed:

1 Like

@domjh Well, I never explicitly log out. I just close the tab, and when I visit again in a few days, it’s like I was never even there.

3 Likes

+1111.

Same, it’s so annoying

Some clarity for folks: Dashboard sessions have a 24 hour lifetime. After 24 hours, we will ask you to login in again. I can understand that having to input a 2FA code every day when logging in can be a pain, but we believe the additional security is worth it.

The ‘remember me’ cookie was fraught because if a bad actor was able to get that cookie they could steal your session even from another device while bypassing 2FA. A malicious browser extension could lift the cookie and then use it to takeover your account. There has been a lot of recent reporting on extension takeovers (example news article). Cloudflare is a high value target for attackers looking to compromise websites, so we decided it was worth prioritizing security in this case by removing the ‘remember me’ cookie to reduce the risk of account takeovers.

5 Likes

Why not IP whitelist to bypass 2FA then?
I understand that this kind of cookie have became dangerous, but there is no way to avoid entering a 2FA code everyday? That makes 2FA too annoying to use, thus reducing security even more…

1 Like

What about https://webauthn.io?
It’s supported on most browsers (even Safari), and this would prevent extensions vulnerabilities.

Damn web browsers should have a cookie blacklist (eg for remember me and session cookies), making them invisible to browser extensions.

Enterprise accounts can setup SSO for the dashboard, and enforce whatever conditional access policies you want that way, including whatever features your identity provider supports.

I have a personal account :confused:

1 Like

Would be nice if the Dashboard supported Touch ID!

Yes! We support webauthn with security keys already, so definitely worth taking advantage of that if you can. It makes for a much more streamlined experience and a safer one too!

As far as touch id, I know it was not available until Safari 14. However, there may be some additional work we need to do to extend our webauthn support to include touch/face id. I’d have to check on that one.

1 Like

Just tried. Was able to register Face and Touch. But the logon experience needs work.

Obviously your comment means it works, but confirmed with the team as well both are supported. Curious as to what part of the experience needs work? We are somewhat limited by the webauthn standard and how each browser implements it, but nonetheless want to know.

On a device with Face ID I could register Face ID. I have to click the “if your device …” to get prompted for my face. On a Touch ID device I can register, but don’t get prompted to touch.

This topic was automatically closed after 30 days. New replies are no longer allowed.