Multi-factor banking
Banking with the second factor built in.
Astralbank requires an authenticator app on every sign-in. No SMS fallback, no recovery codes that leak in email.
⌖
TOTP only
RFC 6238, ±1 step tolerance.
⌗
MFA at every login
No 'remember this device' exemption.
⚯
Two-step flow
Cookie issued AFTER MFA, never before.
⊞
Real banking
Accounts, transfers, statements — all behind 2FA.
Auth flow
Step-up by design. Step 1: email + password →
{"mfa_required": true} (no cookie). Step 2: mfa_session + 6-digit TOTP → Set-Cookie. The cookie is only issued after MFA succeeds.