MFA is a single point of failure


#1

Tried setting up MFA with Authy. Only able to set it up with one Authy account. That means only one person can access the Cloudflare admin site, which is a single point of failure.

Bigly security flaw!


#2

Does Authy block you from adding it to multiple Authy accounts? (They might, I don’t know Authy).

If you’re using standalone products like Google Authenticator then you can scan the QR code by as many devices as you like (although adding a new one isn’t easy since the QR code is only shown once, and storing it is storing the risk of compromise).

If you use something like 1Password, you can add a single TOTP to as many users as you want and 1Password allows users to access the manual setup URL/code, so you can add users. Better, if you use their cloud hosted service then you can share a single item out to multiple users and control permissions directly.

Ideally Cloudflare would extend their interface to directly allow multiple users and role-based or limited access, but as of this time I don’t believe it is possible (at least, not at the pleb level)


#3

Thanks for the reply, Dave

We’ve shared one set of credentials and used LastPass much the same as you suggested, but are frequently getting snagged by the the email MFA as we’re all remote workers with multiple IP addresses (and some of us are even on Dynamic IPs). PITA.

Yes, it’s restrictive not being able to have multiple users. I’ve learned that multiple users and MFA enforcement is available with an Enterprise account. I think that should be standard for anyone paying $200 / month or more.


#4

I use TOTP and have never seen an email that needed attention, and while I’m one person, I work full time remote and have wandered around more than usual in the last few weeks (dynamic IPs, tunneling through he.net tunnels, connecting from my own tunnels via data centers).

However, sharing a mailbox is also pretty straightforward with most business focused providers (and if not, delivering all the mail to multiple mailboxes is completely trivial for even the less competent providers).

None of which is ideal. I’d agree that at the business account level multi-user access should be available across the board.


#5

Shared Account Access for more plan levels is coming very soon! We’ve wrapping up the limited beta and putting finishing touches on it now. You will be able to give other users access via their own CF accounts.


#6

Marvellous!


#7

This topic was automatically closed after 14 days. New replies are no longer allowed.