While it is important to protect the user login credentials and so on it is not the CloudFlare responsibility to harden the security of accounts. The email-token system is working one in ten times, some of my accounts are inaccessible at all as I do not receive email confirmations.
I don’t suppose that I am the only person experiencing such problems on everyday basis. Please conduct a testing before you put that […] into production. I am sure the system should be disabled until it will be fit for a wild. As for the security architecture I am sure it is not useful at all.