2FA BYPASS

Cloudflare's Dashboard enables users to configure 2-Factor Authentication using a Security Key. An issue in the authentication system allowed for the retrieval of recovery codes (used to regain account access if the security key is lost) after verifying the username and password but before completing the authentication process by touching the Security Key. Cloudflare's Engineering team resolved the issue by disallowing requests to the vulnerable API endpoint until users are fully authenticated.