Keep Client Data Safe With TOTP 2FA on Every Admin Account
Enroll in one minute with any authenticator app (Google Authenticator, 1Password, Authy). Required for admin and owner roles, optional for managers, enforced at the session level.
The Problem
A service business CRM holds client addresses, phone numbers, payment info, and call transcripts. A single password away from a data breach is not the right posture.
Passwords Leak
Between credential-stuffing attacks and phishing, password-only auth fails predictably. One reused password in a breach dump and the attacker is in.
No SMS Fallback Problem
SMS 2FA gets phished and SIM-swapped. TOTP codes from an authenticator app are the proven-safe standard for business apps.
Compliance Expectations
Insurance carriers, enterprise clients, and some state contracts require 2FA on any system holding customer data. Password-only is a non-starter.
How It Works
Enroll With a QR Code
From settings, click Enable 2FA. Scan the QR with your authenticator app. Enter the first 6-digit code to confirm enrollment.
Log In With a Code
On every new login, enter email and password, then the 6-digit code from the app. Supabase handles AAL2 session upgrade automatically.
Middleware Enforces
Protected routes require AAL2. Sessions without 2FA completion are redirected to the verify page until the code is entered.
Recover if Needed
Lost your device? Admins can reset 2FA on any org user. Owners can reset their own via the password-reset flow with email confirmation.
Key Capabilities
TOTP via Any App
Works with Google Authenticator, 1Password, Authy, Microsoft Authenticator, and any RFC 6238 TOTP app. No proprietary vendor lock-in.
AAL2 Session Enforcement
Middleware checks Assurance Level 2 on every protected route. Session elevation happens on successful 6-digit code entry.
Role-Gated Requirement
Admin role requires 2FA. Owner is strongly recommended. Managers and affiliates optional. Clients and techs exempt by default.
QR Code Enrollment
One-minute setup: scan, verify, done. No typing of secret keys, no paper backup codes to print.
Admin Reset
Org admins can reset 2FA on any team member if a device is lost. Reset events are logged in the audit trail.
Supabase Auth Integration
Uses Supabase's native MFA implementation so your auth stack stays consistent — no third-party identity provider required.
See It in Action
2FA adoption across Smarfle service businesses.
Owners with 2FA
Admins Enrolled
Blocked Logins (30d)
Owner enrollment
84% of owners have 2FA on
Team enrollment
62% of managers opted in
Breach prevention
47 failed logins blocked by 2FA
Frequently Asked Questions
Admins can reset 2FA on any org user from the team page. Owners can reset via password-reset email. Lost-device recovery is always solvable.
No, intentionally. SMS 2FA is vulnerable to SIM-swap attacks. TOTP is the modern secure standard, and the setup is no harder.
Not by default. Client portal accounts are low-risk and 2FA adds friction. You can require it per-org in security settings.
No. API keys are independent of user auth and use rotation and scoping instead of TOTP. Never paste a 2FA code into an API request.
Pricing
2FA Is Included
Two-factor authentication is included on every plan for every role. No per-user fees, no identity provider upcharge.
Included
View all plansReady to try Two-Factor Authentication?
Start your 7-day free trial. No credit card required.