# How to: MFA

Let's generate the QR Code to create a new enrollment, using the action Enroll a Factor.

<figure><img src="/files/dM1IVS0EzZHpOtZgaihL" alt=""><figcaption></figcaption></figure>

After we've ran the action we'll recieve back 2 important thing an ID and the QR code in a form of on svg. The plugin will already clean up the QR code for you so all you need to do is to show it to your user, by creating an HTML element on the page and reference the QR code, like so:

<figure><img src="/files/k1Ek27LKzYbhXMWNLs8Q" alt=""><figcaption></figcaption></figure>

After the User has scanned the QR code and added your app to their Google Authenticator or any other 2FA app, we'll need to verify that this code is valid, using the Create and Verify a Challenge.&#x20;

<figure><img src="/files/MfedNYJaB7ePme7LSmZP" alt=""><figcaption></figcaption></figure>

We need to provide the ID which the plugin will always return by default when MFA is enabled, and the Code which is the 6 number the user sees in his phone.&#x20;

If you'd like to remove the User's 2FA, using the MFA - Unenroll a factor action can be used like so:

<figure><img src="/files/nsUoPcpq801qqvOimBR8" alt=""><figcaption></figcaption></figure>

Removing the MFA will essentially take place in effect once the user have been logged out and needs to login again, and can be only initiated if the user have confirmed the verified the challenge.&#x20;

So we've done the initial setup let's look at how you can determine during the login process that the user needs to enter MFA. This is done by running the "MFA - Get Authenticator Assurance Level" action.&#x20;

* Authenticator Assurance Level (AAL) is the measure of the strength of an authentication mechanism.
* In Supabase, having an AAL of `aal1` refers to having the 1st factor of authentication such as an email and password or OAuth sign-in while `aal2` refers to the 2nd factor of authentication such as a time-based, one-time-password (TOTP).
* If the user has a verified factor, the `nextLevel` field will return `aal2`, else, it will return `aal1`.

Running this action, the plugin will return both the `currentLevel` and `nextLevel` states, so you can conditionally show groups or run related workflows.&#x20;

Since Supabase.js 3.0.0 you can also do MFA via sms. For that to work you need to enable that in your Supabase dashboard under Authentication

<figure><img src="/files/CG7dmLJ4rosTFmfqRf33" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.relevat.hu/supabase.js-bubble-plugin/setup/supabase-auth/how-to-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.