Using Duo Security as 2FA for CloudFlare - how to reset it to use it on a new phone? [SOLVED]


#1

Hi there! I use Duo Security as a 2FA single-use password generator for Cloudflare. It has worked flawlessly ever since I’ve configured it… until today I upgraded my iPhone to a more recent model. After restoring everything from the backups, and while the Duo application correctly identifies that I use it for Cloudflare, since the original configuration was tied to the older iPhone, the new one requires a new confirmation/registration.

But CloudFlare, to allow any changes/modifications of the 2FA device/system that is tied to the account, needs some extra authentication… from the original device/system used to set it up on the first place… which sort of makes sense… unless, of course, you don’t have it any more!

Other applications give alternative options to ‘reset’ the 2FA system in use, such as providing a QR code to scan, or a special sequence of numbers to reset the app used to generate the single-use code combination — or even, such as in the case of those applications using Duo Prompt (such as WordPress), you can even use the Duo Restore feature (which works like a charm in WordPress!).

But sadly Cloudflare doesn’t have any such choice on their backoffice!.. the only option is to authenticate with the existing Duo app and then remove it to set up with a new one. It doesn’t even allow changing, say, to a competitor, and back again; once that session is expired, there is no way to get back in. That’s an egg-and-chicken problem: to change the ‘Get Working’ message on the Duo app, I need to reset CloudFlare’s ‘link’ to Duo Security; but to do so, I need to have the old app on the old iPhone working (which, of course, it isn’t; the iPhone was already factory-reset and sent to another person…).

So, is there an alternative way to I ‘force’ the ‘Get Working’ message on the Duo Mobile app to actually work again with Cloudflare?

(And before you ask, yes, I’ve also asked the very same question on Duo’s own Discourse boards — before I get pushed and bumped from one board to the other :slight_smile: i.e. ‘That’s a Duo issue, talk to them’ vs ‘That’s a Cloudflare issue, talk to them’)


#2

I’m sorry to say that the account restore feature in today’s Duo Mobile app only restores accounts used as authentication factors with Duo’s cloud service (i.e. services protected by Duo’s own applications and connectors). It can’t restore third party OTP accounts from one phone to another.

You’ve also unfortunately discovered that the CloudFlare OTP account wasn’t restored to your new device by iCloud.

We’re working on bringing third-party OTP backup and restore to a future release of Duo Mobile but I realize that brings you absolutely no comfort now.

I’m looking at the CloudFlare 2FA instructions for Google Authenticator, and it looks like when you scan the barcode to add the account to your OTP app (Google Authenticator, or Duo Mobile, or others), the UI provides a “second-factor backup code” under the QR code.

Did you save that backup code? That code would let you login to CloudFlare to set up MFA with your new phone.


#3

Now I feel incredibly stupid for not doing so! Aye, it’s very likely that there was something similar when I activated 2FA on CloudFlare, but, needless to say, I wasn’t expecting so many difficulties when switching accounts… or at least I expected that Duo’s backoffice could have a way to somehow ‘reset’ this account.

Apparently not; either CloudFlare puts in some extra code on their backoffice, or Duo cannot do much about it…


#4

Yes, that is a screenshot of the CloudFlare 2FA enrollment process, showing an example of the recovery key provided by CloudFlare at 2FA setup time. This CloudFlare 2FA backup code is also referenced in the CloudFlare support article What happens if I lose my phone for 2-Factor Authentication?.

This is not a process specific to using Duo to provide the OTP second factor; the same CloudFlare 2FA backup code would be necessary to move between phones if one was using Google Authenticator for 2FA and lost/wiped the original phone before enrolling the new one in CloudFlare.


#5

Thank you, @DuoKristina! CloudFlare’s technical support did a reset of the 2FA process so that I could log in again, and set it up once more for Duo Security — it worked flawlessly!

And aye, this time I didn’t forget to keep the backup code stored at a safe place, so that it doesn’t happen again…


#6

I’m so glad you were able to get access to CloudFlare again!