Cloudflare breaks 3ds2 challenges

capture730 · 10 April 2026 08:34

tldr:
Cloudflare page/url refresh “breaks” the link between vendor and 3ds verification

Issue:

Monzo has Cloudflare enabled on the 3ds verifications URLs, ie. verify.monzo.com

This is causing problems.

As Cloudflare can require captcha (usually it’s just a “tick” to confirm “I am human”) - the (successful) “verification” causes the page to be refreshed, the monzo page opens, the notification is sent to mobile phone, I approve the payment, the website says the payment was approved but the 3ds verification does not complete (page does not close).

To complete the payment, depending on the vendor, I either need to start another payment (which this time is successful as Cloudflare does not require another verification), or click “3ds/external verification” button on the vendor page (if there is one).

Details to reproduce:

Example from Steam store (but can happen on all payments, depending on Cloudflare decision):

start payment on a vendor store
vendor shows verification is required, showing button that opens 3ds page/popup
popup opens but instead of monzo page, I see cloudflare verification with a checkbox “Verify you are human”
I tick the checkbox, page refreshes, shows monzo 3ds as expected
I get notification on the mobile, I confirm this payment is legit and approve it
page/popup shows it was confirmed but does not close/return to vendor page, transaction on mobile says go back to vendor (or something like that), vendor (Steam) page is unchanged (ie. waiting for “return feedback” from the popup etc)

At this point (with Steam store) I continue with:

close the monzo popup 3ds page
click the very same button that originally clicked when it asked for “verification is required”
it opens the monzo 3ds verification again but this time it’s auto-completed (I guess Steam’s ref.no was already approved), the 3ds popup closes, the payment completes

However with some other vendors this is more cumbersome, in particular with those that do not have a way to re-try the same payment (with same ref.no), in the case I need to start a new payment (old one, on Monzo, never completes and is discarded after 10 minutes), new payment completes fine as Cloudflare no longer requires verification.

OS/Device:

Windows, Tested with online payment on a desktop PC running recent Chrome.

App Version:

N/A

Screenshots:

N/A

Carlo1460 · 10 April 2026 09:02

Are you using a VPN?

tired · 10 April 2026 09:21

Could be a DNS blocker on your network. Have you tried without VPN or DNS blocker on the network?
I had 3DS fail with one bank that I almost entirely blamed them until I checked my DNS logs in real time, it was my DNs being brutal.

anon51813783 · 10 April 2026 09:26

Really good shout actually

Chris_R · 10 April 2026 10:13

I’ve had this over the last few days - it’s infuriating.

I’m not using VPN, but I am using Cloudflare’s DNS instead of the default on my Android phone.

capture730 · 10 April 2026 12:42

I am using VPN but the DNS is not failing - the page opens, it just “verify” URL is protected by Cloudflare - which can decide that a user requires confirmation - at this point it breaks the challenge.

In my case Cloudflare decides I need to be verified due to me coming through VPN - but the VPN isn’t the problem here, it’s a condition that triggers Cloudflare check. There are other conditions that can trigger it I imagine.

Regardless of them the 3ds check should finish correctly and it does not.

I think it’s either a defect with the 3ds verification chain due to additional (Cloudflare) step and refresh, or Cloudflare is losing some information when resending request to Monzo, or the verify URL should not be protected by Cloudflare.

tired · 10 April 2026 13:21

Do you get the same behaviour when VPN is off?
What if merchant blocks transaction at that moment because of VPN/IP used at checkout?

capture730 · 10 April 2026 13:39

not something I can test but if I imagine Cloudflare would likely not require additional verification

merchant does not block transactions - everything is OK apart of extra Cloudflare check - when that happens the 3ds challenge does not complete
when there is no Cloudflare check (either because it just did or decided check isn’t required) - it works fine (even on the very same connection couple seconds after first time failed)

capture730 · 11 April 2026 15:00

Example of opening the verify URL in question when Cloudflare triggers the check:

After I click it, it loads the page correctly,
as mentioned before, when I approve the payment on the mobile, the page becomes empty/blank but the popup does not disappear as expected

Topic		Replies	Views
3D Secure error using Monzo.me URL Monzo Chat	3	1205	1 January 2019
[3DS] 3D Secure merchant issues Bug Reports	60	9019	25 November 2022
Unable to Verify Monzo Payments on My E-commerce Website Help	4	149	7 December 2024
3D verification doesn't work Help	7	1063	29 July 2021
Monzo.me Verification Failure Help	0	1482	13 June 2017

Cloudflare breaks 3ds2 challenges

Related topics