I recently purchased a YubiKey 5 NFC USB-A security key to make logins more secure and easier across my online accounts. The below guide will show you how to set up secondary 2FA and register a YubiKey 5 NFC security key for Cloudflare account login.
The below steps allow you to use your Yubikey security key to log into your Cloudflare Account. You can also use Yubikey to protect other online accounts including using it with Cloudflare Access to protect your sensitive logins via Google Workspace identity provider.
Step 1. Verify your Yubikey is legit using Yubico’s online tool.
Step 2. Login to your Cloudflare Account dashboard
Then go to your profile authentication section at https://dash.cloudflare.com/profile/authentication/management and Add a Security Key Authentication.
On a Windows 10 computer, you’ll be prompted to set a security PIN number which you need to use in conjunction with touch/tapping your YubiKey 5 NFC security key. The PIN is probably a safeguard against physical key compromise and acts as a third factor authentication mechanism.
Once PIN is set, you’d be prompted to tap/touch your YubiKey 5 NFC security key device to complete the process and the new security key will be listed.
Step 3. Cloudflare Account login with YubiKey 5 NFC security key
Now when you login into your Cloudflare Account with your YubiKey 5 NFC security key plugged into your computer’s USB port, you will be prompted to enter your security PIN you previously set and then to tap/touch the YubiKey 5 NFC device to login.
I’ve now registered my YubiKey 5 NFC security key with various service accounts including 1password, Github, Twitter etc. However, some services like Amazon AWS IAM and Namecheap only allow either software authenticators like Google Authenticator/Authy or security keys and not both at the same time. There are many YubiKey setup guides available on official YubiKey site too.
Update: December 6, 2021. With recent WordPress Gravatar data breach leaking username, names and email addresses, also decided to register my Yubikey security keys for WordPress.com logins as well.
Update: October 6, 2022. Cloudflare has announced a deal with Yubico for discounted Yubikey security keys which start as low as US$10 per key! There’s no excuse not to use security keys to better protect your online accounts from phishing attacks etc.
One way you can secure your sites on Cloudflare is if you setup a Yubikey to protect your Google Workspace (Gsuite) account and then have your Cloudflare proxied sites’ login pages authenticated via Cloudflare Access with Google Workspace setup as an identity provider. Then whenever your log into your Cloudflare proxied sites’ login pages i.e. WordPress login page, you will be prompted via Cloudflare Access to login via Google Workspace and be prompted to use your Yubikey security key for logging in.
Below is an example for my Cloudflare Access protected pages using both Google Workspace and Github as my authentication providers – both of which I have setup Yubikey security keys to protect those accounts.