Also known as: Multi-Factor Authentication, two-factor authentication, 2FA
Definition
MFA (Multi-Factor Authentication) requires a user to prove identity with a second factor beyond their password or OAuth login. In Supabase, MFA is implemented via TOTP (authenticator app) or phone (SMS). Successful verification promotes the session to AAL2, which RLS policies can gate on.
MFA layers a second authentication factor on top of the primary one. Supabase ships two factor types: TOTP (a six-digit code from an authenticator app like Authy or 1Password) and Phone (SMS or WhatsApp). TOTP is the recommended default; SMS has known carrier-level interception risks.
Three layers, all required. Enrollment happens via supabase.auth.mfa.enroll, then challenge and verify to activate the factor. Server Actions read getClaims() and check claims.aal === 'aal2' before sensitive operations. RLS policies on admin tables use restrictive policies requiring auth.jwt() ->> 'aal' = 'aal2'. The database-layer gate is what makes MFA architectural rather than a UI checkbox.
On admin accounts at minimum. For consumer apps, MFA is opt-in for users who want it. For B2B SaaS handling sensitive data, MFA is typically mandatory for all admin and owner roles, and enforced by RLS rather than just by UI.