Cloudflare aims to make its entire platform fully post-quantum secure by 2029 at the latest, including authentication systems. The revised timeline follows new developments in quantum computing that suggest existing cryptographic standards may be cracked sooner than expected.
The reason is concrete. Research by Google and Oratomic shows that algorithms and hardware can break widely used encryption methods, including RSA-2048 and elliptic curve cryptography. Cloudflare views this as evidence that the arrival of “Q-day”—the moment when quantum computers can break current encryption—is drawing nearer. Some projections place that moment as early as the end of this decade.
Cloudflare points to progress on three parallel fronts: quantum hardware, error correction, and quantum algorithms. Improvements in areas such as neutral-atom architectures and more efficient error correction reduce the resources required to break encryption. Advances in algorithms simultaneously lower computational complexity. According to the company, the combination of these three factors makes the threat landscape more dangerous sooner than previously thought.
Authentication as a New Priority
For a long time, the focus was on protecting encrypted data against “harvest now, decrypt later” attacks. But now that the timeline is shortening, the risk is shifting to authentication. Quantum attackers could then forge login credentials and gain direct access to systems. That makes the problem even more concrete.
Migrating to post-quantum authentication is more complex than rolling out post-quantum encryption, due to dependencies on long-lived keys, third-party systems, and certificate infrastructure. Cloudflare also emphasizes that legacy cryptographic systems must be completely disabled to prevent downgrade attacks.
The company has already rolled out post-quantum encryption across a large portion of its network. More than half of the human traffic that Cloudflare processes now uses post-quantum key agreement. Post-quantum authentication support will follow in 2026, with a broader rollout across the platform in 2028. By 2029, all services are expected to be post-quantum-secure by default, at no additional cost to customers.
Tip: Cloudflare gives SASE tool Cloudflare One new monitoring features