Keep Client Data Safe With TOTP 2FA on Every Admin Account

Enroll in one minute with any authenticator app (Google Authenticator, 1Password, Authy). Required for admin and owner roles, optional for managers, enforced at the session level.

Start Free Trial View Pricing

Live in 5 minutes · No setup fee · No long-term contract

When client data is one password away

A service business CRM holds client addresses, phone numbers, payment info, and call transcripts. A single password away from a data breach is not the right posture.

Passwords Leak

Between credential-stuffing attacks and phishing, password-only auth fails predictably. One reused password in a breach dump and the attacker is in.

No SMS Fallback Problem

SMS 2FA gets phished and SIM-swapped. TOTP codes from an authenticator app are the proven-safe standard for business apps.

Compliance Expectations

Insurance carriers, enterprise clients, and some state contracts require 2FA on any system holding customer data. Password-only is a non-starter.

How TOTP enrollment plugs in

Enroll With a QR Code

From settings, click Enable 2FA. Scan the QR with your authenticator app. Enter the first 6-digit code to confirm enrollment.

Log In With a Code

On every new login, enter email and password, then the 6-digit code from the app. Supabase handles AAL2 session upgrade automatically.

Middleware Enforces

Protected routes require AAL2. Sessions without 2FA completion are redirected to the verify page until the code is entered.

Recover if Needed

Lost your device? Admins can reset 2FA on any org user. Owners can reset their own via the password-reset flow with email confirmation.

What 2FA covers

TOTP via Any App

Works with Google Authenticator, 1Password, Authy, Microsoft Authenticator, and any RFC 6238 TOTP app. No proprietary vendor lock-in.

AAL2 Session Enforcement

Middleware checks Assurance Level 2 on every protected route. Session elevation happens on successful 6-digit code entry.

Role-Gated Requirement

Admin role requires 2FA. Owner is strongly recommended. Managers and affiliates optional. Clients and techs exempt by default.

QR Code Enrollment

One-minute setup: scan, verify, done. No typing of secret keys, no paper backup codes to print.

Admin Reset

Org admins can reset 2FA on any team member if a device is lost. Reset events are logged in the audit trail.

Supabase Auth Integration

Uses Supabase's native MFA implementation so your auth stack stays consistent — no third-party identity provider required.

Industries using Two-Factor Authentication

The service businesses that get the most out of this feature, and the specific way each one uses it.

Law Firm

Required 2FA for matter and client data access

Accounting

Protect client financials with TOTP enrollment

Managed IT

Compliance-driven 2FA across the team

Financial Advisor

Custodial-data protection for client portfolios

Login with TOTP

2FA adoption across Smarfle service businesses.

Owners with 2FA

Admins Enrolled

Blocked Logins (30d)

Owner enrollment

84% of owners have 2FA on

High

Team enrollment

62% of managers opted in

Growing

Breach prevention

47 failed logins blocked by 2FA

Secure

Security questions

Admins can reset 2FA on any org user from the team page. Owners can reset via password-reset email. Lost-device recovery is always solvable.

No, intentionally. SMS 2FA is vulnerable to SIM-swap attacks. TOTP is the modern secure standard, and the setup is no harder.

Not by default. Client portal accounts are low-risk and 2FA adds friction. You can require it per-org in security settings.

No. API keys are independent of user auth and use rotation and scoping instead of TOTP. Never paste a 2FA code into an API request.

Pricing

All tiers

2FA Is Included

Two-factor authentication is included on every plan for every role. No per-user fees, no identity provider upcharge.

Included

View all plans

Ready to try Two-Factor Authentication?

Start your 7-day free trial. No credit card required.

Start Free Trial