cloudflare
diff --git a/‎src/content/changelog/access/2026-04-15-independent-mfa.mdx‎
Lines changed: 37 additions & 0 deletions b/‎src/content/changelog/access/2026-04-15-independent-mfa.mdx‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx‎
Lines changed: 220 additions & 0 deletions b/‎src/content/docs/cloudflare-one/access-controls/access-settings/independent-mfa.mdx‎
Lines changed: 220 additions & 0 deletions
diff --git a/‎src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx‎
Lines changed: 8 additions & 5 deletions b/‎src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx‎
Lines changed: 1 addition & 1 deletion b/‎src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,37 @@
+---
+title: Independent MFA for Access applications
+description: Enforce multi-factor authentication for Access applications without relying on your identity provider.
+date: 2026-04-15
+products:
+  - access
+---
+
+Cloudflare Access now supports independent multi-factor authentication (MFA), allowing you to enforce MFA requirements without relying on your identity provider (IdP). This feature addresses common gaps in IdP-based MFA, such as inconsistent MFA policies across different identity providers or the need for additional security layers beyond what the IdP provides.
+
+Independent MFA supports the following authenticator types:
+
+- **Authenticator application** — Time-based one-time passwords (TOTP) using apps like Google Authenticator, Microsoft Authenticator, or Authy.
+- **Security key** — Hardware security keys such as YubiKeys.
+- **Biometrics** — Built-in device authenticators including Apple Touch ID, Apple Face ID, and Windows Hello.
+
+:::note
+Infrastructure applications do not yet support independent MFA.
+:::
+
+## Configuration levels
+
+You can configure MFA requirements at three levels:
+
+| Level            | Description                                                    |
+| ---------------- | -------------------------------------------------------------- |
+| **Organization** | Enforce MFA by default for all applications in your account.   |
+| **Application**  | Require or turn off MFA for a specific application.            |
+| **Policy**       | Require or turn off MFA for users who match a specific policy. |
+
+Settings at lower levels (policy) override settings at higher levels (organization), giving you granular control over MFA enforcement.
+
+## User enrollment
+
+Users enroll their authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/). To help with onboarding, administrators can share a direct enrollment link: `<your-team-name>.cloudflareaccess.com/AddMfaDevice`.
+
+To get started with Independent MFA, refer to [Independent MFA](/cloudflare-one/access-controls/access-settings/independent-mfa/).
@@ -0,0 +1,220 @@
+---
+pcx_content_type: how-to
+title: Independent MFA
+sidebar:
+  order: 4
+tags:
+  - Authentication
+---
+
+import { Tabs, TabItem, APIRequest, Details } from "~/components";
+
+Independent multi-factor authentication (MFA) allows you to enforce MFA requirements directly in Access without relying on your identity provider (IdP). Users authenticate with their IdP as usual, and Access prompts for an additional authentication method before granting access to the application.
+
+## Supported MFA methods
+
+| MFA method        | Description                                                                                                                                                                 |
+| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Authenticator application | Time-based one-time passwords (TOTP) generated by apps such as Google Authenticator, Microsoft Authenticator, or Authy. Access supports one TOTP authenticator per user at a time. |
+| Security key              | YubiKeys and hardware security keys that support the [WebAuthn](https://www.w3.org/TR/webauthn-2/) standard. Users can enroll multiple security keys.           |
+| Biometrics                | Built-in device authenticators that use [WebAuthn](https://www.w3.org/TR/webauthn-2/), including Apple Touch ID, Apple Face ID, and Windows Hello. Users can enroll multiple biometrics.                                                                               |
+
+## Turn on independent MFA
+
+Before you can [enforce independent MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/#independent-mfa), you must turn on independent MFA at the organization level.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**.
+2. Under **Allow multi-factor authentication (MFA)**, select the [MFA methods](#supported-mfa-methods) you want to allow in your organization.
+3. Set an **Authentication duration**. This determines how long a user can log in to Access without being prompted for MFA again. If the user does not have an active MFA session for the required authenticator method, they must complete MFA in addition to IdP authentication.
+4. (Optional) To apply your MFA methods and authentication duration to all Access applications, select **Apply global MFA settings by default**. You can [override the global MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application) for individual applications and policies.
+	:::note
+	The [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) is exempt from the global MFA requirement. Users must be able to access the App Launcher without MFA to enroll their authenticators.
+	:::
+4. Select **Save**.
+
+</TabItem> <TabItem label="API">
+
+1. Get your existing Zero Trust organization configuration:
+
+   <APIRequest
+   	path="/accounts/{account_id}/access/organizations"
+   	method="GET"
+   />
+
+2. Send a `PUT` request to update your organization's MFA settings. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request.
+
+	<APIRequest
+		path="/accounts/{account_id}/access/organizations"
+		method="PUT"
+		json={{
+			auth_domain: "your-team-name.cloudflareaccess.com",
+			name: "Your Team Name",
+			mfa_config: {
+				allowed_authenticators: ["totp", "biometrics", "security_key"],
+				session_duration: "24h",
+			},
+			mfa_required_for_all_apps: false,
+		}}
+	/>
+
+	Set `allowed_authenticators` to an array containing one or more of:
+
+	- `totp` — Authenticator application (time-based one-time passwords).
+	- `biometrics` — Biometrics (Touch ID, Face ID, Windows Hello).
+	- `security_key` — Security keys (YubiKeys)
+
+	Set `session_duration` to a duration string (for example, `30m`, `1h`, `24h`). To require MFA on every access, use `0m`.
+
+</TabItem> </Tabs>
+
+After you turn on independent MFA, users can [enroll authenticators](#enroll-authenticators) through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/).
+
+## Turn off independent MFA
+
+:::caution
+Turning off independent MFA removes MFA protection on all Access applications. Before turning off independent MFA, verify that your Access policies provide adequate coverage. Remove [custom MFA settings](/cloudflare-one/access-controls/policies/mfa-requirements/) from any applications and policies that use it, then turn off independent MFA at the organization level.
+:::
+
+To turn off independent MFA for the organization:
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Access controls** > **Access settings**.
+2. Under **Allow multi-factor authentication (MFA)**, turn off **Apply global MFA settings by default**.
+3. Turn off all MFA methods (**Biometrics**, **Security key**, and **Authenticator application**).
+
+If you get an error updating MFA settings, ensure that you have removed custom MFA settings from all applications and policies.
+
+</TabItem> <TabItem label="API">
+
+
+1. Get your existing Zero Trust organization configuration:
+
+   <APIRequest
+   	path="/accounts/{account_id}/access/organizations"
+   	method="GET"
+   />
+
+2. Send a `PUT` request with an empty `allowed_authenticators` array. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request.
+
+   <APIRequest
+      path="/accounts/{account_id}/access/organizations"
+      method="PUT"
+      json={{
+         auth_domain: "your-team-name.cloudflareaccess.com",
+         name: "Your Team Name",
+         mfa_config: {
+            allowed_authenticators: [],
+         },
+      }}
+   />
+
+</TabItem> </Tabs>
+
+## Enroll authenticators
+
+Users enroll authenticators through the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/).
+
+To enroll an authenticator:
+
+1. Go to your organization's App Launcher at `<your-team-name>.cloudflareaccess.com`.
+2. Log in with your identity provider or with a one-time PIN (OTP).
+3. Go to **Account** > **MFA devices** > **Add an MFA device**.
+		:::note
+		Administrators can also share a direct enrollment link to help onboard users: `<your-team-name>.cloudflareaccess.com/AddMfaDevice`
+		:::
+4. Select the authenticator type you want to enroll and follow the on-screen instructions.
+
+	<Details header="Authenticator application">
+	1. Select **Authenticator application**.
+	2. Scan the QR code with your authenticator app (for example, Google Authenticator, Microsoft Authenticator, or Authy). Alternatively, you can manually enter the setup key into your authenticator app. Use SHA1 as the hash function and set the time-step size to 30 seconds.
+	3. Enter the 6-digit time-based one-time password (TOTP) generated by your authenticator app to verify enrollment.
+
+	:::note
+	You can only have one TOTP authenticator enrolled at a time. If you use multiple devices, scan the same QR code on each device during enrollment. To replace an existing TOTP authenticator, delete it first and then enroll a new one.
+	:::
+	</Details>
+
+	<Details header="Security key">
+	1. Select **Security key**.
+	2. When your browser prompts you, insert your security key and follow the on-screen instructions.
+	3. After your browser confirms the registration, the security key is enrolled.
+
+	You can enroll multiple security keys for backup purposes.
+	</Details>
+
+	<Details header="Biometrics">
+	1. Select **Biometrics** > **Register biometrics**.
+	2. You will be prompted to enroll with an authenticator type that is available on your device (for example, **Add macOS Touch ID** or **Add Windows Hello**).
+	3. After your browser confirms the registration, the platform authenticator is enrolled.
+	</Details>
+
+You can now use these authenticators to log in to your organization's applications.
+
+### Delete an authenticator
+
+Users can delete their own authenticators from the App Launcher:
+
+1. Go to your organization's App Launcher at `<your-team-name>.cloudflareaccess.com`.
+2. Go to **Account** > **MFA devices**.
+3. Select the 3-dot menu next to the MFA device, then select **Remove MFA device**.
+
+Administrators can also [delete authenticators on behalf of users](/cloudflare-one/access-controls/access-settings/independent-mfa/#delete-a-user-authenticator).
+
+## Manage user authenticators
+
+Administrators can view and delete authenticators enrolled by users. This is useful for resolving lockouts or responding to security events.
+
+### View user authenticators
+
+To view a user's enrolled authenticators:
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**.
+2. Select a user.
+3. Go to **MFA devices**. Each entry shows the authenticator's ID, its user-configured name, and the MFA method.
+
+### Delete a user authenticator
+
+If a user is locked out or you need to revoke an authenticator for security reasons, you can delete it from the dashboard or API.
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Team & Resources** > **Users**.
+2. Select the user whose authenticator you want to delete.
+3. Under **MFA devices**, find the authenticator and select **Delete**.
+
+The user will need to enroll a new authenticator the next time they access an application that requires MFA.
+
+</TabItem> <TabItem label="API">
+
+Send a `DELETE` request to remove a specific authenticator:
+
+<APIRequest
+	path="/accounts/{account_id}/access/users/{user_id}/mfa_authenticators/{authenticator_id}"
+	method="DELETE"
+/>
+
+Parameters:
+
+- `user_id` — The UUID of the user. You can find this in the user details under **Team & Resources** > **Users**.
+- `authenticator_id` — The unique identifier for the authenticator.
+
+</TabItem> </Tabs>
+
+### Lockout recovery
+
+If a user loses access to all of their enrolled authenticators:
+
+1. [Delete](#delete-a-user-authenticator) the user's authenticators.
+2. The user can then access a protected application and will be provided a link to enroll a new authenticator.
+3. Alternatively, share the direct enrollment link with the user: `<your-team-name>.cloudflareaccess.com/AddMfaDevice`.
+
+:::tip
+To prevent lockouts, users should enroll multiple authenticators (for example, a security key and an authenticator application) when available.
+:::
+
+## Related links
+
+- [Enforce MFA on applications and policies](/cloudflare-one/access-controls/policies/mfa-requirements/)
@@ -4,8 +4,8 @@ title: Session management
 sidebar:
   order: 2
 tags:
-- JSON web token (JWT)
-- Authentication
+  - JSON web token (JWT)
+  - Authentication
 ---
 
 import { GlossaryTooltip, Render } from "~/components";
@@ -16,9 +16,9 @@ A user session determines how long a user can access an Access application witho
 
 When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs):
 
-| Token                                                                                 | Description                                                                                                          | Expiration                                                                                                                                       | Storage                                                                           |
-| ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------- |
-| Global session token                                                                  | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration)                                                                                              | Your Cloudflare <GlossaryTooltip term="team domain">team domain</GlossaryTooltip> |
+| Token                                                                                                               | Description                                                                                                          | Expiration                                                                                                                               | Storage                                                                           |
+| ------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
+| Global session token                                                                                                | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration)                                                                                      | Your Cloudflare <GlossaryTooltip term="team domain">team domain</GlossaryTooltip> |
 | [Application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) | Allows the user to access a specific Access application.                                                             | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application                                  |
 
 The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP.
@@ -96,6 +96,9 @@ Users who match a policy configured with a _Same as application session timeout_
 
 When [Device authentication identity](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/client-sessions/#configure-client-sessions-in-access) is enabled for an Access application, the Cloudflare One Client session duration takes precedence over all other session durations (application, policy, and global). As long as the Cloudflare One Client session is valid and the user is running the Cloudflare One Client, the user will not be prompted to re-authenticate with the IdP — even if the global session has expired.
 
+### MFA session duration
+If you use [independent multi-factor authentication (MFA)](/cloudflare-one/access-controls/access-settings/independent-mfa/), the MFA session duration determines how long a user can log in to Cloudflare Access without being prompted for MFA. The MFA session is independent of the global, policy, and application session durations. When logging in to an Access app with [MFA enabled](/cloudflare-one/access-controls/policies/mfa-requirements/#configure-independent-mfa-for-an-application), users must complete an MFA challenge if their last MFA authentication falls outside the configured session duration. After authenticating with their identity provider, users are prompted for MFA. The [`CF_Device` cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#cf_device) ensures both authentication steps occur on the same device. MFA session durations do not affect how long a user has access to the application (that is controlled by the [application token](#session-durations)).
+
 ### Order of enforcement
 
 The following flowchart illustrates how Access enforces user sessions for a self-hosted application.
 
@@ -69,7 +69,7 @@ The following Access cookies are essential to Access functionality. Cookies that
 
 | Details                                                                                                                                                    | Expiration | HttpOnly | SameSite | Required? |
 | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -------- | -------- | --------- |
-| Cookie used to help prevent abuse of the [Access OTP flow](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) | 30 days    | Yes      | Strict   | Required  |
+| Cookie set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name), used to prevent abuse of [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/) and [multi-factor authentication](/cloudflare-one/access-controls/access-settings/independent-mfa/) flows | 30 days    | Yes      | Strict   | Required  |
 
 ## Cookie settings