When you try to log in to your Cloudflare account from an unrecognised IP address without having a Two-Factor Authentication (2FA) set up, you have to confirm your identity via a Multi-Factor Authentication (MFA) email. MFA prevents customer account takeovers when attackers gain unauthorised access to an account due to an exposed or easily guessed password. Cloudflare will challenge any login attempt if the user provides the correct credentials from an unrecognised IP address.
This type of email is in some cases flagged as spam in your inbox. If you’re awaiting an authentication token, you should check your spam folder for any Cloudflare emails, and if you still can’t find the email in question you should check any other folders in your inbox as well. You can also configure a filter that allows emails from [email protected]. We also highly recommend activating two-factor authentication (2FA) on your Cloudflare account to keep it secure.