Multi-Factor Authentication (MFA) Template

No. Start with MFA optional, encourage adoption through nudges (banners, security score, email prompts), and require MFA for admin roles only. Once adoption reaches 30-40% organically, introduce admin-enforced MFA for Enterprise plans. Platform-wide enforcement should come after you have reliable recovery paths. Forcing MFA too early creates a surge of lockout support tickets that overwhelms your team.

TOTP is the better default because it works without your mobile app installed and does not require maintaining push notification infrastructure. Push is more convenient (one tap vs. typing a code) but only works for users who have your app installed on their phone. If you have a widely-installed mobile app, offer push as an option alongside TOTP.

Ten codes is the standard. Fewer than 8 creates anxiety. More than 12 makes them hard to store. Each code should be 8-12 characters, alphanumeric, and formatted in groups of 4 for readability (e.g., `ABCD-EFGH-1234`). Display them in a copyable text block and offer a "Download as text file" option. For related security considerations, see the [SSO template](/templates).

Two-factor authentication (2FA) is a subset of MFA that uses exactly two factors. MFA is the broader term covering two or more factors. In practice, most implementations use exactly two factors (password + TOTP), so the terms are often used interchangeably. The [access control template](/templates/access-control-template) covers how authentication factors feed into authorization decisions. ---