Bubble.io Two-Factor Authentication and Advanced Security Features
Beyond privacy rules: TOTP two-factor authentication implementation, immutable audit logging with append-only privacy rules, session timeout and IP logging, and concurrent session management for enterprise-grade Bubble applications.
Beyond Privacy Rules: Additional Security Layers
Bubble.io’s privacy rules provide server-side data isolation. But enterprise customers, security-conscious founders, and applications handling sensitive data often require additional security layers: two-factor authentication, audit logging, session management, and IP-based access controls. This guide covers the advanced security features that take a Bubble app beyond the baseline and toward enterprise-grade security.
Adding TOTP to Your Bubble App
Two-factor authentication adds a second verification step beyond the password: a time-based one-time code generated by an authenticator app (Google Authenticator, Authy). Implementing TOTP in Bubble requires the Toolbox plugin for JavaScript execution and a TOTP library.
User
totp_secret
: text (encrypted; the TOTP shared secret)
totp_enabled
: yes/no
totp_verified_at
: date (last time 2FA was verified)
// 2FA flow:
// 1. User enables 2FA in settings
// 2. Generate TOTP secret via Toolbox JS (use otplib or similar)
// 3. Display QR code for user to scan with authenticator app
// 4. User enters first 6-digit code to verify setup
// 5. Store encrypted secret on User; set totp_enabled = yes
// On subsequent logins: after password verification
// If totp_enabled = yes: show 2FA code input
// Verify entered code against TOTP secret via Toolbox JS
// Only proceed to dashboard if code is valid
The Immutable Record of What Happened
AuditLog
user
-> User (who did it)
workspace
-> Workspace
action
option set (Login / Logout / Create / Edit / Delete / Export)
resource_type
text (which data type was affected)
resource_id
text (Unique ID of the affected record)
ip_address
text (request IP)
user_agent
text (browser/device)
created_at
date (immutable timestamp)
// Privacy rule: members can Find and View; nobody can Edit or Delete
// This makes the audit trail architecturally immutable
// Add an AuditLog creation step to every sensitive workflow
Controlling Login Sessions
Session Timeout
Implement automatic logout after a period of inactivity. Use a scheduled workflow or page-level condition to check last_active_at on the User record. If more than the configured timeout has passed (e.g. 8 hours), log the user out and redirect to login. Update last_active_at on every page load.
IP Logging
Log the request IP address on every login and store it on the User record (last_login_ip) and in the AuditLog. Display ‘Last login from [IP] at [time]’ in account settings. Users who see an unfamiliar IP can report suspicious activity and change their password.
Concurrent Session Management
Track active sessions by creating a Session record on each login and destroying it on logout. Display all active sessions in account settings (‘You are logged in on 3 devices’). Allow users to remotely log out other sessions. This is a high-trust feature that enterprise users expect.
Q: Is 2FA required for enterprise customers?
Many enterprise procurement teams require or strongly prefer MFA (Multi-Factor Authentication) for any SaaS product handling sensitive data. Adding 2FA before enterprise sales conversations removes a common objection and demonstrates security maturity.
Q: How do I store the TOTP secret securely?
The TOTP secret should be treated as sensitive data. In Bubble, set a privacy rule on the User type that hides the totp_secret field from all clients (View all fields does NOT include totp_secret). Process TOTP verification in a backend workflow where the secret is accessed server-side and never sent to the browser.
Q: Can I require 2FA for all users in a workspace?
Yes. Add a Workspace field: require_2fa (yes/no), settable by Owners. On every page load, check: if Workspace’s require_2fa = yes AND Current User’s totp_enabled = no, redirect to the 2FA setup page before allowing access.
Build Your Bubble.io App With Expert Help
Pakistan’s leading Bubble.io development team. Multi-tenant SaaS architecture, Stripe billing, and full product builds done right from day one.
