To increase account security, Cloudflare has implemented Multi-Factor Authentication (MFA) method. This feature helps prevent customer account takeovers in which a bad actor is able to gain unauthorized access to an account due to an exposed password or an easy to guess password.
When someone successfully provides correct credentials to login to an account from an unrecognized IP for that account, Cloudflare will challenge the user trying to login into the account.
Cloudflare challenges the login by sending a one time code to the email we have on file for the account with an expiration of 30 min. Once the correct code is provided through the dashboard, that IP will be recorded and further login attempts from that IP address won't be challenged for 90 days.
By checking “remember this computer”, that device/browser will not receive MFA challenges for up to 14 days. After 14 days, Cloudflare will begin checking the IP address again for logins from that device/browser.
Can it be disabled?
Email MFA can only be disabled by enabling two-factor authentication on the account:
Why am not getting any emails from Cloudflare with my token?
Sometimes emails sent by Cloudflare are flagged as spam by the recipient email service. If you are expecting an authentication token, you should check the spam folder for any Cloudflare emails and configure a filter to allow Cloudflare emails from: [email protected]
Other times the emails are rejected by the recipient email service. Cloudflare will try again but after a few tries it will flag the email and no further emails will be sent to that recipient.
If after ensuring your email service is not flagging Cloudflare, you still do not receive an email please contact Cloudflare Support.