Cloudflare targets 2029 for full post-quantum security

April 7, 2026
aisecuritylawstreaming
System with various wires managing access to centralized resource of server in data center
Photo by Brett Sayles on Pexels

What Cloudflare announced

Cloudflare says it is accelerating its post-quantum roadmap and now targets 2029 to be fully post-quantum (PQ) secure — including the crucial piece still missing for many organizations: post-quantum authentication. The company reminds readers it began preparing for this migration in 2019 and enabled post-quantum encryption for websites and APIs in 2022; today, it claims over 65% of human traffic to Cloudflare is already post-quantum encrypted. Mitigating “harvest-now, decrypt-later” was step one. Authentication is step two. Fast and necessary.

Why the timetable shifted

The timetable moved because of a flurry of independent advances that reportedly change the risk calculus. It has been reported that Google announced a dramatic improvement to a quantum algorithm for breaking elliptic-curve cryptography and provided a zero-knowledge proof rather than revealing the method. It has also been reported that Oratomic published a resource estimate suggesting a neutral-atom machine might break P-256 with roughly 10,000 qubits. IBM’s Quantum Safe CTO allegedly warned that “moonshot” attacks on high-value targets can’t be ruled out as early as 2029. Cloudflare frames these developments as a wake-up call: sudden leaps can happen, and secrecy may already be tightening around the most sensitive work.

What this means and what’s next

Q-Day — the moment cryptographically relevant quantum computers can break today’s public-key schemes — still hasn’t arrived. But Cloudflare argues the window to prepare is shorter than many assumed. Breaking the problem requires progress on three fronts: hardware, error correction, and quantum software; improvements on any front amplify the rest. So Cloudflare will speed up internal Q-Day readiness and prioritize replacing authentication primitives alongside continuing to defend against harvest-now threats.

Bottom line

If the timeline holds, 2029 will become an industry deadline, not just a vendor ambition. Are organizations ready? Many are not yet there. The message is urgent but straightforward: treat post-quantum authentication as more than an academic exercise — it’s a practical migration with a calendar. The clock is ticking, and the race to quantum-safe identity has officially begun.

Sources: cloudflare.com, Hacker News