What is Defte?
Defte is a free online appointment booking and business management platform for service-based businesses. It works for salons, barbershops, clinics, consultants, and 30+ other industries.
Start free β
defte.co protects every salon owner's account with OTP-based two-factor authentication (2FA). Even if your password is stolen, unauthorised login is impossible β because access also requires a one-time code sent only to your device.
What Is Two-Factor Authentication?
Traditional login relies on a single factor: your password. If that password is guessed, leaked in a data breach, or cracked by a brute-force attack, your account is compromised.
Two-factor authentication (2FA) adds a second layer. Gaining access now requires both something you know (your password) and something you have (the OTP code delivered to your device).
π Factor 1: Password
Your email address and the password you set. The standard credential β only you should know it.
π± Factor 2: OTP Code
A single-use code valid for one login attempt and a short time window. Delivered only to your registered device.
π‘οΈ Result: Double Protection
Without both factors, login fails. Even a compromised password leaves the attacker locked out.
How 2FA Works on defte.co
defte.co uses email OTP verification built on the Supabase Auth infrastructure. The login flow works as follows:
- The salon owner enters their email address and password.
- If the credentials match, the system sends a 6-digit one-time code to the registered email address.
- The code expires after 5 minutes. A new code can be requested.
- On correct code entry, the session is created and the salon dashboard opens.
Why email rather than SMS? SMS OTP is vulnerable to SIM-swap attacks. Email OTP requires access to your email account, which is operator-independent and generally far harder to hijack. defte.co chose email OTP deliberately.
Which Attacks Does It Block?
π« Password Leaks
If your password appears in a data breach from another site and you reused it here, the attacker still cannot log in without the OTP code.
π« Brute-Force Bots
Even if a password-guessing bot eventually finds the right password, it cannot pass the second step. Server-side rate limiting also caps the number of attempts.
π« Phishing
Someone who types their password into a fake login page cannot complete a real login without the OTP code, which was never sent to the attacker.
π« Stolen Sessions
Even if a session cookie is intercepted, new login attempts require a fresh OTP. Old sessions do not compromise future account security.
Additional Security Measures
Alongside 2FA, defte.co applies these security layers:
- Login rate limiting: Too many failed attempts in a short window temporarily locks the account.
- Mandatory HTTPS: All connections are TLS-encrypted; man-in-the-middle attacks are blocked.
- Session timeouts: Inactive sessions are automatically terminated.
- Row-Level Security (RLS): At the database level, each salon owner can only access their own data. Cross-salon access is architecturally impossible.
Is Customer Data Protected Too?
2FA protects login access to the owner's dashboard. Customer data is additionally isolated by Supabase Row-Level Security policies: a salon owner can only view appointments and client records belonging to their own salon. No other owner β or even a platform admin β can directly access that data.
Is 2FA Already Active on My Account?
Yes. 2FA is enabled by default on defte.co β no setting needs to be toggled. It activates automatically on every login. If you see the OTP step during sign-in, 2FA is working.
Your Account Is Already Protected
2FA is on by default on defte.co. Secure login requires no extra setup from you.
Create a Free Account β