New Email Authentication (MFA) is the WORST THING


#1

This has to be the most ill-advised security feature Cloudflare has implemented to date. Since it’s rollout we have seen:

  1. Extensive delays in helping customers update their DNS records as we need to get them involved and have them forward mails

  2. Experienced accounts with out-of-date email addresses with no access to mailbox anymore (this is really the customer’s problem - but would not have been an issue before)

  3. Catch-22 type situations where a client needed to update DNS in order to fix a mail issue, but could not gain access to the Cloudflare account as they could not receive the auth mail!!

Haven’t you been getting lots of negative feedback here? Didn’t anybody at Cloudflare think that it might be ill-advised to rely on mail authentication as an access requirement when your system is integral to mail functionality in the first place ???

PLEASE CONSIDER ROLLING THIS BACK! If users want more security they will turn on 2FA! If you feel user’s are not adopting 2FA widely enough: Nudge them to do so!

Don’t just put up a wall to login with wide-reaching consequences like this … sadface


#2

Even if I can understand the point with “It costs more time and effort”, the security advantage is massive. Instead of the fact that attackers only need a password to gain access to an account, you now also need access to the user’s mailbox.

Especially: If an e-mail takes too long because of the delivery time, you can easily activate 2-factor authentication via TOTP. See https://www.cloudflare.com/a/profile


#3

Problem is a lot of people migrate their one domain to Cloudflare and then barely touch their account.

This can lead to inaccessibility issues mentioned above.

When Cloudflare has existing 2FA functionality - which you point out - why try to “protect the dummies” with a feature which can cause problems and havoc?

If users have easily guessable passwords: warn them
If someone logs in from an IP not seen before: warn them
If someone makes DNS changes: How about sending confirmation mail at that point, as an option? This would not block access to the account itself, mitigating some scenarios, and would achieve the same level of security

Why are there no fallback options? There should really be an option now, since you’ve implemented this MFA, to indicate a secondary mail address which can be used as a fallback.

How would a user recover access to their account if something is wrong with their mail system? Like the scenario we ran into today…

In general Cloudflare could use better support for teams - I know there’s multi-device stuff in Authy, but that’s not quite what I mean here. Adding team members would also improve trackability and accountability vis-a-vis DNS changes.

This new MFA “solution” which has been rolled out, seems to me to be a panic-implementation in response to a - granted, probably very real and very serious issue - but not very well thought out, which is causing lots of friction and issues out here in userland. There are many other strategies which can be employed to mitigate this stuff, is all I’m saying …


#4

How users handle mails and the corresponding mail servers is always in the hands of the respective sysadmins. However, Cloudflare can’t really do much for this if access to mail servers is not possible. If you want to be sure and don’t want to have centralized access on one server at all times, you should choose one of the other 2FA methods.

As far as teams are concerned, yes, that’s true. At least according to the plan, there is a possibility to set up teams, but only for the enterprise plan.


#5

Seems like you are a fan of the new MFA Chris - all good - not sure what your role is, if you are part of CF or just a forum member.

However, it is a grim reality that a lot of users - maybe more than you realize - have no idea what Cloudflare is or what it does, and have been directed to use it by more skilled people.

The problem then becomes if the user doesn’t know how to access the account in the first place to set up 2FA. There’s many a n00b out there - and untill now CF was quite n00b friendly as they could simply “get their tech guy to fix stuff”

Now, I’m one of those tech guys, and I have had to go through hell and back to gain access to users CF accounts since this was implemented.

Also I think you are shrugging off a bit too lightly the catch 22 where the user has an unsolvable issue with their mail on a 3rd party service where they have no control - and need to go in and change their MX records - and as Cloudflare is the point of control for MX records … Well you must realize what this means…

The only workaround has been to delegate the domains away from Cloudflare entirely as no access is possible there anymore. I am fairly certain the engineers at CF hadn’t thought of this very prickly scenario and that it could in fact cause users to end up leaving Cloudflare

But alright, whatever - if you want to be blind to our pain and insist on fixing the problem with a sledgehammer, go ahead and alienate a portion of the user base


#6

I am just a normal user ^^

As I said, I understand your point. I myself have been working for a while in a company where the bug was mostly 40 centimeters in front of the screen, if you know what I mean.

This is precisely why these users had no access or write access to critical or important services, such as the DNS server.

I think CF has taken the right step in the right direction. It’s not uncommon to need 2-factor authentication for more and more services, especially those that might be important as described above.

But hey, that’s just my personal opinion.

PS I like such open discussions… It’s been years since I last had a good discussion on a forum like this one ^^


#7

We completely agree that 2FA is a good thing :slight_smile:

That’s why I think effort should have been made to convert more people to “real” 2FA (i.e. handset or handset + phone no. + mail fallback) instead of forcibly imposing this new mechanism which is throwing us for a loop

I would have been fine with a graded rollout where users were forced within a timeframe to choose their preferred 2FA method

At a bare minimum some method of recovering access in case of mail inaccessibility should have been put in place before this was enacted as a system-wide policy.

sigh - well, we will have to deal the best we can :slight_smile:

Thanks for listening to my ranting Chris…!!


#8

Just a heads up, all Cloudflare employees should have the nifty little :logo: on their picture when they post (like mine to the <—).

Great points raised on both sides. It’s definitely a complicated issue. I can address a few points though:

This isn’t about “protecting the dummies” as you say (though there are plenty of examples in society where decisions are encouraged/required through rules/laws). Anyone can be a victim of account takeover if they aren’t careful. Not just people who are “careless”.

If a user is locked out because of lost access to a 2FA device or inability to receive MFA emails, they can always email support to ask for help. But they’ll need to be ready to answer a number of verification questions before we can do anything.

Shared account access is being extended beyond Enterprise plans soon. I don’t have details on exactly how it will be rolled out, but we are testing internally now. This should hopefully help with client/vendor situations like the one that @arni is experiencing.


#9

Good news. I can now reveal that it’s on the roadmap for THIS quarter.


#10

Good news indeed!

Hopefully this will make stuff like this easier to deal with :slight_smile: