MFA Verification Hook
You can add additional checks to the Supabase MFA implementation with hooks. For example, you can:
- Limit the number of verification attempts performed over a period of time.
- Sign out users who have too many invalid verification attempts.
- Count, rate limit, or ban sign-ins.
Inputs
Supabase Auth will send a payload containing these fields to your hook:
Field | Type | Description |
---|---|---|
factor_id | string | Unique identifier for the MFA factor being verified |
factor_type | string | totp or phone |
user_id | string | Unique identifier for the user |
valid | boolean | Whether the verification attempt was valid. For TOTP, this means that the six digit code was correct (true) or incorrect (false). |
Outputs
Return this if your hook processed the input without errors.
Field | Type | Description |
---|---|---|
decision | string | The decision on whether to allow authentication to move forward. Use reject to deny the verification attempt and log the user out of all active sessions. Use continue to use the default Supabase Auth behavior. |
message | string | The message to show the user if the decision was reject . |
Your company requires that a user can input an incorrect MFA Verification code no more than once every 2 seconds.
Create a table to record the last time a user had an incorrect MFA verification attempt for a factor.
Create a hook to read and write information to this table. For example: