Logging into Cloudflare with different IP addresses

mfa

#1

Hi

I travel internationally a lot. As such my IP address changes (even when stationary I notice different IP addresses)

Cloudflare (rightfully and helpfully) let’s me know this with an email every time I log in.

Recently it seems to have upped the security a little and is emailing out a security code to input to confirm it’s me ( again, good).

I’m just a little concerned that sooner or later Cloudflare will up this security again and start to lock people out based on IP addresses. I’ve seen this on other sites which drives me nuts.

I know 2 Factor is possible in Cloudflare but it’s not something I am fond of if I lose my mobile.

Is it possible for Cloudflare to allow logins based on the PC one is using like some other sites? Or a second passcode or the like?

I also know I will get some stick about 2 Factor etc. but I’ve seen it go wrong when people travel internationally and it can really mess things up.

FYI today I logged into Cloudflare with no issues. But then got the email saying I had to enter a code … after I’d already logged in. So I’m guessing CF are working on log in security at the moment.

I guess I’m just flagging this for anyone in Cloudflare dealing with logins etc as it is an issue for some of us out there.

Thanks :slight_smile:


#2

Hey there,

Yes, we recently released that change in order to better protect customer’s accounts. Currently, when you are asked to provide a MFA token, you can select the “Remember me” option. Doing so will store a cookie which will prevent you from being challenged if your IP changes on that machine for a longer period of time. This should reduce how often you need to provide the token from that browser.

Any change to explicitly block access to an account would require explicit opt-in or configuration by the account owner in order to prevent exactly the scenario you are describing.

Cheers,
Garrett


#3

Hi Greg

Thanks for the reply.

I logged in a few days ago and clicked the “Remember Me” option. The very next day it asked me for the token.

Today it let me in without the token or the email. But after two minutes of being logged in I got an email with a token (that was never requested).

I don’t mind the tokens etc I’m just worried about getting locked out as I travel internationally a lot.


#4

Hi
we are having the issue as well. and the timeout period seems pretty low.

is there a way to turn it off, or at least to see the attempts, and allow the login?
Steve


#5

Just an update for the DEVs.

Whenever I log in now, it let’s me in … then 1 min later I get an email with a token saying to use it to log in … I’m already logged in!

Then 1 minute later another email saying I logged in using a different IP address.

Just a heads up :wink: