MFA for Admin Roles
Admin Safety · ADM-13 · Priority: P0
Why It Matters
Admin accounts have the highest-privilege access in any application — they can delete users, export data, change billing, modify roles, and access every record. If an admin account is compromised through credential stuffing, phishing, or password reuse, the attacker gains unrestricted access to your entire application and all user data.
Multi-factor authentication (MFA) is the most effective single control against credential-based attacks. Yet in independent testing of AI-built apps, 0 out of 15 apps implemented any form of MFA — not even for admin roles (Tenzai, December 2025). AI code generators build login flows but never add a second authentication factor.
For any SaaS targeting enterprise customers, SOC 2 compliance requires MFA for privileged access. Missing MFA on admin roles is an automatic audit failure.
Priority: P0 — Any admin account without MFA is a single password away from total compromise.
Affected Stack: Supabase Auth, any auth provider with MFA support
The Problem
AI tools generate a standard email/password login flow and apply it equally to regular users and admin accounts. There is no distinction between the authentication requirements for a user viewing their own dashboard and an admin who can access every user's data.
// ❌ What AI tools typically generate — same login for everyone
const { data, error } = await supabase.auth.signInWithPassword({
email: adminEmail,
password: adminPassword,
});
// Admin is now logged in — no second factor, no challenge
Why This Is Dangerous
- Credential stuffing: Admin email addresses are often discoverable (founder's email,
admin@company.com). If the password was reused from another breached service, the account is immediately compromised - Phishing: One successful phishing email targeting an admin gives full access
- No audit trail: Without MFA, there's no way to distinguish a legitimate admin login from a compromised one
- Compliance failure: SOC 2, ISO 27001, and most enterprise security frameworks require MFA for privileged accounts
The Fix
Require MFA enrollment for all admin roles. With Supabase Auth, this means:
- Enforce MFA enrollment when a user is promoted to admin
- Verify MFA on every admin action (not just at login)
- Block admin access if MFA is not enrolled
// ✅ Check MFA status before granting admin access
const { data: factors } = await supabase.auth.mfa.listFactors();
const hasVerifiedTOTP = factors?.totp?.some(f => f.status === 'verified');
if (!hasVerifiedTOTP) {
// Redirect to MFA enrollment
return redirect('/admin/setup-mfa');
}
// ✅ Challenge MFA on sensitive admin actions
const { data: challenge } = await supabase.auth.mfa.challenge({
factorId: verifiedFactor.id,
});
// User provides TOTP code from authenticator app
const { data: verify } = await supabase.auth.mfa.verify({
factorId: verifiedFactor.id,
challengeId: challenge.id,
code: userProvidedCode, // 6-digit TOTP
});
if (verify) {
// Proceed with admin action
}
Key rules:
- MFA must be mandatory for admin roles, not optional
- Verify MFA status in middleware, not just at the login page
- Challenge MFA again for destructive operations (user deletion, data export, role changes)
- Log all MFA enrollment and verification events for audit trail
References
- Supabase: Multi-Factor Authentication
- OWASP: Multi-Factor Authentication Cheat Sheet
- SOC 2: Access Control Requirements
Related Checks
- Server-Side Auth for Protected Routes — AUTH-04, ADM-01, ADM-02
- No Client-Side-Only Role Checks — ADM-03
- Admin Audit Log — ADM-04
- Exposed Debug/Admin Routes — ADM-08
Is your app safe? Run Free Scan →