How to: MFA

A deep dive how MFA works within Supabase

Let's generate the QR Code to create a new enrollment, using the action Enroll a Factor.

After we've ran the action we'll recieve back 2 important thing an ID and the QR code in a form of on svg. The plugin will already clean up the QR code for you so all you need to do is to show it to your user, by creating an HTML element on the page and reference the QR code, like so:

After the User has scanned the QR code and added your app to their Google Authenticator or any other 2FA app, we'll need to verify that this code is valid, using the Create and Verify a Challenge.

We need to provide the ID which the plugin will always return by default when MFA is enabled, and the Code which is the 6 number the user sees in his phone.

If you'd like to remove the User's 2FA, using the MFA - Unenroll a factor action can be used like so:

Removing the MFA will essentially take place in effect once the user have been logged out and needs to login again, and can be only initiated if the user have confirmed the verified the challenge.

So we've done the initial setup let's look at how you can determine during the login process that the user needs to enter MFA. This is done by running the "MFA - Get Authenticator Assurance Level" action.

  • Authenticator Assurance Level (AAL) is the measure of the strength of an authentication mechanism.

  • In Supabase, having an AAL of aal1 refers to having the 1st factor of authentication such as an email and password or OAuth sign-in while aal2 refers to the 2nd factor of authentication such as a time-based, one-time-password (TOTP).

  • If the user has a verified factor, the nextLevel field will return aal2, else, it will return aal1.

Running this action, the plugin will return both the currentLevel and nextLevel states, so you can conditionally show groups or run related workflows.

Last updated