chore: document new MFA enforcement on organization option (supabase#35564)

* chore: document new MFA enforcement on organization option

* chore: multi-factor

* review suggestions and navigation item

* note that feature is opt-in atm

* chore: note about PATs

* fix: spelling

* fix: links

Author: staaldraad

apps/docs/components/Navigation/NavigationMenu/NavigationMenu.constants.ts

@@ -2160,6 +2160,16 @@ export const platform: NavMenuConstant = {
         {
           name: 'Multi-factor Authentication',
           url: '/guides/platform/multi-factor-authentication',
+          items: [
+            {
+              name: 'Enable MFA',
+              url: '/guides/platform/multi-factor-authentication',
+            },
+            {
+              name: 'Require MFA for organization members',
+              url: '/guides/platform/org-mfa-enforcement',
+            },
+          ],
         },
         {
           name: 'Transfer Project',

apps/docs/content/guides/deployment/going-into-prod.mdx

@@ -23,6 +23,7 @@ After developing your project and deciding it's Production Ready, you should run
 - Ensure that your Supabase Account is protected with multi-factor authentication (MFA).
   - If using a GitHub signin, [enable 2FA on GitHub](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication). Since your GitHub account gives you administrative rights to your Supabase org, you should protect it with a strong password and 2FA using a U2F key or a TOTP app.
   - If using email+password signin, set up [MFA for your Supabase account](https://supabase.com/docs/guides/platform/multi-factor-authentication#enable-mfa).
+- Enable [MFA enforcement on your organization](/docs/guides/platform/network-restrictions). This ensures all users must have a valid MFA backed session to interact with organization and project resources.
 - Consider [adding multiple owners on your Supabase org](https://supabase.com/dashboard/org/_/team). This ensures that if one of the owners is unreachable or loses access to their account, you still have Owner access to your org.
 - Ensure email confirmations are [enabled](https://supabase.com/dashboard/project/_/auth/providers) in the `Settings > Auth` page.
 - Ensure that you've [set the expiry](https://supabase.com/dashboard/project/_/auth/providers) for one-time passwords (OTPs) to a reasonable value that you are comfortable with. We recommend setting this to 3600 seconds (1 hour) or lower.

apps/docs/content/guides/deployment/shared-responsibility-model.mdx

@@ -92,6 +92,7 @@ You can use Supabase to store and process Protected Health Information (PHI). Yo
 - Signing a Business Associate Agreement (BAA) with Supabase. Submit a [HIPAA add-on request](https://forms.supabase.com/hipaa2) to get started. You will need to be at least on the [Team Plan](https://supabase.com/pricing) to sign a BAA with us.
 - [Marking specific projects as HIPAA projects](/docs/guides/platform/hipaa-projects) and addressing security issues raised by the advisor.
 - Ensuring [MFA is enabled](/docs/guides/platform/multi-factor-authentication) on all Supabase accounts.
+  - [Enforce MFA](/docs/guides/platform/org-mfa-enforcement) as a requirement to access the organization
 - Enabling [Point in Time Recovery](/docs/guides/platform/backups#point-in-time-recovery) which requires at least a [small compute add-on](/docs/guides/platform/compute-add-ons).
 - Turning on [SSL Enforcement](/docs/guides/platform/ssl-enforcement).
 - Enabling [Network Restrictions](/docs/guides/platform/network-restrictions).

apps/docs/content/guides/platform/multi-factor-authentication.mdx

@@ -36,6 +36,8 @@ For security reasons, we will not be able to restore access to your account if y
 
 Once you've enabled MFA for your Supabase user account, you will be prompted to enter your second factor challenge code as seen in your preferred TOTP app.
 
+If you are an organization owner and on the Pro, Team or Enterprise plan, you can enforce that all organization members [must have MFA enabled](/docs/guides/platform/org-mfa-enforcement).
+
 ## Disable MFA
 
 You can disable MFA for your user account under your [Supabase account settings](/dashboard/account/security). On subsequent login attempts, you will not be prompted to enter a MFA code.

apps/docs/content/guides/platform/org-mfa-enforcement.mdx

@@ -0,0 +1,32 @@
+---
+title: 'Enforce MFA on Organization'
+description: 'All users in an organization must have a valid MFA session to interact with organization resources'
+---
+
+Supabase provides multi-factor authentication (MFA) enforcement on the organization level. With MFA enforcement, you can ensure that all organization members use MFA. Members cannot interact with your organization or your organization's projects without a valid MFA-backed session.
+
+<Admonition type="note">
+
+MFA enforcement is only available on the [Pro, Team and Enterprise plans](https://supabase.com/pricing).
+
+This feature is currently in limited preview. If you would like to opt-in to try it, contact support.
+
+</Admonition>
+
+## Manage MFA enforcement
+
+To enable MFA on an organization, visit the [security settings](/dashboard/org/_/security) page and toggle `Require MFA to access organization` on.
+
+- Only organization **owners** can modify this setting
+- The owner must have [MFA on their own account](/docs/guides/platform/multi-factor-authentication)
+- Supabase recommends creating two distinct MFA apps on your user account
+
+<Admonition type="caution">
+
+When MFA enforcement is enabled, users without MFA will immediately lose access all resources in the organization. The users will still be members of the organization and will regain their original permissions once they enable MFA on their account.
+
+</Admonition>
+
+## Personal access tokens
+
+Personal access tokens are not affected by MFA enforcement. Personal access tokens are designed for programmatic access and issuing of these require a valid Supabase session backed by MFA, if enabled on the account.