Two-Factor Authentication (2FA)
Mindful Auth supports TOTP-based 2FA with recovery codes.
Enable 2FA
Section titled “Enable 2FA”- User logs in and starts 2FA setup via
your.portal.com/security - Mindful Auth returns a TOTP secret and QR data; user scans with an authenticator app.
- User confirms with a code. On success,
_2fa_statusis set toEnabled,_2fa_secretis stored encrypted per member in your selected backend.
Verify on login
Section titled “Verify on login”- After password login, if
_2fa_statusisEnabled, the user must submit a TOTP code to finalize the session. - Session cookie is issued only after successful 2FA verification.
Recovery codes
Section titled “Recovery codes”- Provided during setup; store them offline.
- If the user loses their device, a recovery code can be used in place of a TOTP code once. Used codes are invalidated.
Disable 2FA
Section titled “Disable 2FA”- User logs in and disables 2FA setup via
your.portal.com/security. The member needs to confirm with their password before disabling.
Security Boundary: 2FA Management
Section titled “Security Boundary: 2FA Management”Since tenants own their backend (Tape, D1, etc), they have direct access to modify _2fa_status, _2fa_secret, and _2fa_recovery_codes fields via backend automation or admin panels. This is by design — tenants own their data.
Trust Model:
- User-initiated 2FA disable: Requires password verification (secure)
- Admin-initiated changes: Visible in audit logs but not preventable (tenant-owned backend)
Recommendation for Tenants:
- Restrict backend admin access (principle of least privilege)
- Review audit logs for unauthorized 2FA changes (Business Plan only)
- Use Tape/D1/backend field permissions to prevent accidental modifications
- Set up alerts for critical
two_factor_disabled_successfullyevents