Skip to content

One-time PIN login

Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as an alternative to integrating an identity provider. You can simultaneously configure OTP login and the identity provider of your choice to allow users to select their own authentication method.

For example, if your team uses Okta but you are collaborating with someone outside your organization, you can use OTP to grant access to guests.

Set up OTP

  1. In Zero Trust, go to Settings > Authentication.
  2. Under Login methods, select Add new.
  3. Select One-time PIN.
  4. If your organization uses a third-party email scanning service (for example, Mimecast or Barracuda), add noreply@notify.cloudflare.com to the email scanning allowlist.

To grant a user access to an application, simply add their email address to an Access policy.

Log in with OTP

To log in to Access using the one-time PIN:

  1. Go to the application protected by Access.
  2. On the Access login page, enter your email address and select Send me a code. Enter email to sign in with OTP.
  3. If the email is allowed by an Access policy, you will receive a PIN in your inbox. This secure PIN expires 10 minutes after the initial request.
  1. Paste the PIN into the Access login page and select Sign in. Enter PIN to sign in.

    • If the code was valid, you will be redirected to the application.
    • If the code was invalid, you will see That account does not have access.

Example API Config

{
"config": {},
"type": "onetimepin",
"name": "my example idp"
}