r/CloudFlare: Adding Yubikey to Cloudflare Zero Trust

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/y6594q/adding_yubikey_to_cloudflare_zero_trust/

Question

Hi,

I just received my order from Yubico that I ordered with the Cloudflare discount and now I'm in the process of taking them to use. Earlier I have configured an ssh access for my Gitea instance and it is working great but now I'm interested in if I can add the yubikey authentication to this Zero Trust access. Is there a way to do this? Atm I get a code in my email but would love to use my Yubikeys for this.

Thanks in advance!

Answer

Cloudflare One (the ZT platform), doesn't do the authentication itself, they delegate it to an IdP like Azure AD and Google Workspace. And these IdPs are then responsible to use the Yubikey's as an MFA variant.

So, which IdP did you choose for ZT?

Comment 1 on Answer

I have no idea. So I have to setup another account somewhere to use Yubikey in ZT? Can't really seem to find any good tutorials or support sites to contain clear examples on how to integrate these keys to some usages (such as ZT auth etc)

My response to comment 1

When you go to https://dash.teams.cloudflare.com/settings/authentication, what does it say under "Login methods"?

Comment 2 on Question

+1!

Hope to get some information on this too. I am still struggling to setup an application in Zero Trust. I have set up everything (application, policies, tunnel including domain) and my application seems to be accessible from the internet

However my application goes into an authentication url loop. So I can't access it. Do I need to configure additional authentication from Zero Trust?

I currently used one time passwords but that didn’t worked apparently.

Haven’t tried the other ones. Was hoping for a custom IdP like Authelia.. guess I got some extra homework ;)!

Edit: oh it is supported! Via OpenID :) https://www.authelia.com/integration/openid-connect/cloudflare-zerotrust/

My response to comment 2

Correct, One Time passwords will not work with Yubikey's.

The presence of Custom IdPs would obviously be preferable but isn't feasible for Cloudflare since they have to integrate with each new one, it is not just Plug-and-Play.