Any way to work around the "one Super Admin per instance" issue?


Given that only the Enterprise level of Cloudflare (which we aren’t on) allows for multiple Super Admins, we are looking for some ideas on how to work around the “hit by a bus scenario” if our one Super Admin isn’t available and other regular Admins can’t make certain system changes due to Admins having a lower level of permissions than the Super Admin.

Even if our Super Admin account were under a ‘shared’ login, the account still needs to be secured with 2FA, which means that a single device (phone or hardware key) limits who can log into the account.

Any ideas or recommendations?

Ideally, the email address of the person under the bus can be recovered (such as being assigned as an alias on another user), which is step one.

You can add the TOTP code to more than one device, copy the QR code used to setup 2FA, and download the 2FA backup codes, and store them in a safe place (giving it to the company auditor/lawyer in a sealed envelope is a safe option).

Ah I didn’t even think about adding the TOTP code to more than one device.

What about hardware based keys. Does Cloudflare allow more than one key to be assigned to an account?

I have several YubiKeys assigned to my account. Of course you’d be in pretty bad shape if you just assigned one and lost it.

1 Like

OK then, that’s the solution (multiple YubiKeys).



This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.