Cloudflare uses a Multi-Factor Authentication (MFA) method for increased account security. MFA prevents customer account takeovers when attackers gain unauthorized access to an account due to an exposed or easily guessed password.
Cloudflare will challenge any login attempt if the user provides the correct credentials from an unrecognized IP address.
Cloudflare challenges the login by sending a one time code that expires in 30 minutes to the email we have on file for the account. Once the correct code is provided through the dashboard, that IP will be recorded and further login attempts from that IP address won't be challenged for 90 days.
By checking “remember this computer,” that device/browser will not receive MFA challenges for up to 14 days. After 14 days, Cloudflare will begin checking the IP address again for logins from that device/browser.
Cloudflare emails are sometimes flagged as spam by the recipient's email service. If you are expecting an authentication token, you should check the spam folder for any Cloudflare emails and configure a filter to allow Cloudflare emails from firstname.lastname@example.org.
Other times emails are rejected by the recipient email service. Cloudflare will try again but after a few attempts it will flag your email address and no further emails will be sent.
If after ensuring your email service is not flagging Cloudflare you still do not receive an email, contact Cloudflare Support.