Bootspring
HomeGet Started

Multi-Factor Authentication (MFA)

TOTP-based two-factor authentication with authenticator app integration, backup recovery codes, and optional SMS fallback.

What's Included#

  • TOTP secret generation and QR code creation for authenticator apps
  • Verification and enablement flow with step-by-step UI
  • One-time backup recovery code generation and hashed storage
  • MFA login challenge page with authenticator and backup code options
  • SMS fallback verification via Twilio
  • API routes for MFA setup and verification

Usage#

Via CLI#

Loading code block...

Via AI Assistant#

Ask your AI assistant:

  • "Use the MFA pattern from Bootspring"
  • "Apply the Bootspring multi-factor authentication pattern to my project"

Key Considerations#

  • Encrypt TOTP secrets at rest and never store them in plaintext
  • Always provide one-time backup recovery codes when MFA is enabled
  • Allow clock drift tolerance (window of 1 step) for time-based codes
  • Rate limit verification attempts to prevent brute force attacks
  • Log all MFA events including enable, disable, and failed verification attempts

Related Patterns#

  • Session Management - Session handling after MFA
  • RBAC - Role-based access with MFA requirements
  • JWT - Token handling for MFA state