Source:
ocean/docs/SUPABASE_MFA_SETUP.md| ✏️ Edit on GitHub
Supabase Multi-Factor Authentication (MFA) Setup
Overview
To enhance security, Supabase recommends enabling multiple MFA options. Currently, we only have email OTP enabled, which triggers the security warning.
Current Status
⚠️ Security Warning: Only 1 MFA method enabled (Email OTP) ✅ Recommended: Enable at least 2 MFA methods
Recommended MFA Options
-
Email OTP (Currently Enabled)
- Already configured for passwordless authentication
-
SMS OTP (Recommended)
- Requires Twilio integration
- Provides phone-based verification
-
TOTP (Authenticator Apps) (Recommended)
- Works with Google Authenticator, Authy, etc.
- Most secure option
Setup Instructions
Enable Additional MFA Methods
-
Scroll to Multi-Factor Authentication (MFA)
-
Enable additional MFA factors:
- Time-based One-Time Password (TOTP): Toggle ON
- Phone (SMS): Toggle ON (requires Twilio setup)
-
Click Save to apply changes
SMS Setup (Optional but Recommended)
-
Create a Twilio account
-
Get your Account SID and Auth Token
-
Configure in Supabase:
TWILIO_ACCOUNT_SID=your_account_sid
TWILIO_AUTH_TOKEN=your_auth_token
TWILIO_MESSAGE_SERVICE_SID=your_service_sid
TOTP Setup (Highly Recommended)
- In Supabase Dashboard > Authentication > Settings
- Enable "TOTP (Authenticator Apps)"
- Update your signup flow to optionally enroll users in TOTP
Implementation Notes
- Our current OTP email flow remains the primary authentication method
- Additional MFA options are optional for users who want extra security
- Consider implementing MFA enrollment during user onboarding
Security Best Practices
- Require MFA for Admin Users: Enforce MFA for users with elevated privileges
- Grace Period: Allow users time to set up MFA before enforcing
- Recovery Codes: Provide backup codes for account recovery
- User Education: Guide users on the benefits of enabling MFA
Future Enhancements
- Add MFA enrollment flow to user settings
- Implement role-based MFA requirements
- Add security dashboard showing MFA adoption rates