Last week, I suddenly found myself unable to log in to administer my org’s Cloudflare account.
I work for a company which was acquired by a larger company a couple of years ago. My part of the org has a separate Cloudflare account which was carried over from before the acquisition, and maintaining our DNS is pretty important to our open source product. My email address is, however, part of the parent company’s domain. So, I authenticate using my work email address and a password, as well as an MFA device.
Sometime in the last few weeks, somebody at the parent company seemingly enabled SSO for “their” Cloudflare account. The implementation seems to have resulted in all email addresses within the parent company’s domain suddenly using the corporate SSO solution for auth. So, I could no longer log in with my Cloudflare password. For whatever reason (misconfiguration or intentionally limiting to a subset of people), I couldn’t log in via corporate SSO. The Cloudflare site’s support contact form requires me to log in first, so I couldn’t even reach out to anyone at Cloudflare for help.
Let that sink in. I was completely locked out of an account as a result of someone in a completely separate org making a change. Somebody who’s never talked to me and has no authority over my work was able to change my account login credentials out from under me with no notification whatsoever, solely because I happen to have used the same email domain. My secure password and MFA device no longer matter; I’m left to rely on the parent org’s security standards.
My little sub-org doesn’t pay Cloudflare that much, but I’m pretty horrified by the security implications of this behavior. I only happened to get in today because I guess somebody changed the corporate SSO settings for “their” domain. I haven’t gotten to the bottom of this internally yet, as I was also out on vacation last week, making the emergency change I was called in on that much more frustrating. But I’m still appalled that Cloudflare’s auth system is set up to allow this. I’ve set up a second account using a domain that I personally control as a backup (thank heavens we can finally add multiple superadmins). Hopefully I can still get in and actually manage things the next time this trainwreck of a security hole allows some rando to silently lock me out of my account.