# Implement MFA (TOTP) Support

I will implement **Time-based One-Time Password (TOTP)** multi-factor authentication, moving further into **Phase 5** of the roadmap.

## 1. Schema Changes
-   **New Table**: `auth.mfa_factors` to store MFA secrets and status.
    -   Columns: `id`, `user_id`, `factor_type` (e.g., 'totp'), `secret`, `status` ('unverified', 'verified'), `created_at`, `updated_at`.
-   **Migration**: Create a new SQL migration file for this table.

## 2. Dependencies
-   **Crate**: Add `totp-rs` to `auth/Cargo.toml` with `qr` feature for generating QR codes.

## 3. Implementation (`auth` service)
-   **New Module**: `auth/src/mfa.rs`.
-   **Endpoints**:
    -   `POST /auth/v1/mfa/enroll`: Generates a new TOTP secret and returns it (plus QR code). Creates an `unverified` factor.
    -   `POST /auth/v1/mfa/verify`: Accepts a code and the factor ID. Verifies the code. If correct, marks factor as `verified`.
    -   `POST /auth/v1/mfa/challenge`: (Optional for MVP) Verifies a code for a verified factor to grant access.

## Execution Steps
1.  **Add Dependency**: Update `auth/Cargo.toml`.
2.  **Create Migration**: Add the SQL file in `migrations/`.
3.  **Implement Logic**: Create `auth/src/mfa.rs` with enrollment and verification logic.
4.  **Register Routes**: Update `auth/src/lib.rs` to include the new MFA endpoints.
5.  **Update Roadmap**: Mark MFA as completed.