This section contains methods commonly used for Multi-Factor Authentication (MFA) and are invoked behind the supabase.auth.mfa namespace.
TOTP (time-based one-time password) is the stable 2nd factor. WebAuthn / passkey as a 2nd factor is experimental — opt in with @_spi(Experimental) import Supabase. The first-factor passkey API lives in the auth (not auth.mfa) namespace; see the Auth Passkey section.
We don't support recovery codes but we allow users to enroll more than 1 TOTP factor, with an upper limit of 10.
Having a 2nd TOTP factor for recovery frees the user of the burden of having to store their recovery codes somewhere. It also reduces the attack surface since multiple recovery codes are usually generated compared to just having 1 backup TOTP factor.