Optional second-factor authentication on /app/account/settings. Users enroll a phone number; Twilio Verify (use the twilio-verify-send-otp skill) issues OTPs over SMS, WhatsApp, or voice depending on user preference and channel availability. TOTP (authenticator app) supported as an offline alternative via the Verify Factors API.

Per-org policy on /app/{org}/settings: "Require MFA for owners and admins" toggle. Recovery codes generated on enrollment, downloadable once. Failed-attempt rate limiting via Verify built-ins. Schema: user_mfa_factors (user_id, factor_type, twilio_sid, last_verified_at, status). Out of scope: org-wide SSO/SAML (existing login_sso settings), passkeys (separate card later).