Cloudflare is accelerating its post-quantum security roadmap, now targeting 2029 for full post-quantum (PQ) protection including authentication. The urgency stems from two major breakthroughs: Google announced a dramatically improved quantum algorithm to break elliptic curve cryptography (P-256), and Oratomic published a resource estimate showing RSA-2048 and P-256 could be broken with only ~10,000 neutral atom qubits. These advances pull Q-Day significantly forward from previous 2035+ estimates. Cloudflare explains why post-quantum authentication is now the critical priority over encryption — broken authentication is catastrophic, enabling attackers to forge credentials and gain persistent access. Long-lived keys like root certificates, API auth keys, and code-signing certs are highest risk. The post outlines a migration dependency chain that will take years, warns about downgrade attacks, and recommends businesses make PQ support a procurement requirement. Cloudflare commits to enabling post-quantum security by default at no extra cost across all plans.
Table of contents
Why now: independent progress on three frontsIt’s time to focus on authenticationCloudflare’s roadmap to full post-quantum securityWhat we recommendSort: