GET/api/v1/projects/2fa200 OK · 200 OK · 400K DAU

Enterprise Two-Factor Authentication

Securing 400,000 daily users without breaking a single login flow.

Enterprise Two-Factor Authentication — product screenshot
// 2fa-00.png — product screenshot
400K
daily active users
5%→100%
rollout in one month
-15%
account takeovers
6
engineers led

#01 The challenge

Jotform needed enterprise-grade two-factor authentication across both consumer and enterprise products — with SOC 2 and GDPR requirements, and zero tolerance for locking legitimate users out of their accounts.

The hard part was never generating TOTP codes. It was retrofitting a security layer into a decade-old authentication path used by hundreds of thousands of people daily, across web, mobile, SSO, and enterprise server deployments.

#02 Architecture & approach

I led a six-person team designing the platform as distributed PHP services with domain-driven backend components: authentication workflows, TOTP and SMS verification, recovery codes, and device trust — each isolated behind clear service boundaries.

Redis handled short-lived verification state and rate limiting; MySQL stored durable enrollment data with careful schema design for auditability. Every flow was built fail-safe: if a downstream verification provider degraded, users fell back to alternative factors instead of being locked out.

On the frontend, we built reusable React + TypeScript step-wizard components that were later reused for the SMTP OAuth2 rollout — one investment, two enterprise features.

#03 Rollout & outcome

We shipped behind feature flags with a staged canary: 5% of users first, watching authentication failure dashboards, then expanding to 100% within one month.

Account-takeover incidents and related support requests dropped by roughly 10–15%. The platform passed SOC 2 audit requirements and became the default security posture for enterprise customers.

Want the full story behind this build?

POST /contact