MFA for web & mobile applications

[harshit-yc]

Context

As Yosemite Crew continues to scale across clinics and pet parents — including sensitive medical records, prescriptions, payments, and upcoming AI integrations — account security becomes mission-critical.

Today, authentication is primarily email/password. We should add Multi-Factor Authentication (MFA) across:

• Clinic web platform (PMS)
• Pet parent mobile app (iOS/Android)
• Admin/super-admin accounts (highest priority)

This reduces risk of account takeovers and improves trust + enterprise readiness.

Guiding questions for community discussion

Scope: Should MFA be mandatory for clinic staff and optional for pet parents? Or mandatory for both?

Methods: Which MFA methods should we support first?

• TOTP Authenticator apps (Google Authenticator/Authy)
• SMS OTP
• Email OTP
• Passkeys / WebAuthn

Risk-based MFA: Should MFA trigger only on:

• new device login
• password resets
• sensitive actions (exporting data, payouts/refunds, role changes)

UX: How do we reduce friction for busy clinic staff while keeping security strong?

Admin protection: Should super-admin roles require stricter MFA (mandatory + no SMS)?

Mobile re-auth: Should mobile apps support biometric unlock (Face ID / Touch ID) layered on top of MFA?

Detailed overview

Design

• Login → password → second factor verification
• “Trust this device” option (policy-controlled)
• Security settings page (enroll / remove / view backup codes)
• Recovery flow for lost device

Development

• Add TOTP enrollment (QR code) + verification
• Add optional SMS fallback (region-aware)
• Add device trust + session management
• Rate limiting + lockouts for brute force

Backend/API

• MFA enrollment state per user
• Encrypted secret storage for TOTP
• Recovery tokens / backup codes
• Audit logs for security events

Testing

• Cross-platform login testing (web + mobile)
• Recovery scenarios (lost phone, number change)
• Attack simulations (OTP brute force, replay attempts)
• Ensure no performance regressions

User benefits

Pet parents: More confidence their pet’s records are protected.
Clinics: Reduced compromise risk; enterprise-ready security.
Platform: Better posture for compliance efforts (SOC2-like readiness).

Potential meta level deliverables

• MFA architecture decision doc
• TOTP MFA implementation
• SMS/email fallback (optional)
• Backup codes + recovery workflow
• Admin-enforced MFA policies
• Biometric unlock support for mobile