Spring Office Hours S4E32 - Multi-Factor Authentication with Josh Cummings
7 snips
Dec 2, 2025 Josh Cummings, a Spring Security team member and application security expert, shares his journey into open source and the development of multi-factor authentication (MFA) in Spring Security. He explains the importance of combining different security factors and discusses how MFA enhances application security. Josh dives into the design evolution that allowed MFA’s integration, practical use cases, and conservative user experience choices to minimize risks. He also highlights testing support for MFA and recommends best practices for password encoders.
AI Snips
Chapters
Transcript
Episode notes
Family Van Turned Into An Unexpected Win
- Josh grew up in Utah, has seven kids, and bought a Sprinter van that became the family's indispensable party wagon.
- He shared the van story to illustrate practical trade-offs and how small choices can have big positive impacts.
Small Open Source Starts Led To Bigger Roles
- Josh first contributed a small bug fix to Spring Security and answered many Stack Overflow questions before joining the team full-time.
- That early community support led to long-term involvement and eventual full-time work on Spring Security.
MFA As An Authorization Statement
- Josh realized MFA is fundamentally an authorization statement about how someone authenticated, not a separate subsystem.
- Leveraging the new authorization manager API made MFA implementation simple and composable in Spring Security.