How We Added 2FA to a Health Platform Using Claude Code in Record Time

The Challenge Nobody Talks About

Here's what most "AI success stories" won't tell you: the hardest part isn't the initial implementation. It's the pivot.

We were building MFA for a telehealth platform handling sensitive patient data under HIPAA regulations. The requirement seemed straightforward: add two-factor authentication for all users with elevated privileges. That meant administrators, coaches with patient access, and healthcare providers.

I started with the obvious approach: TOTP (Time-based One-Time Passwords) using authenticator apps like 1Password or Google Authenticator. Industry standard. Well-documented. Secure.

Then our product owner said no.

"Our users are healthcare professionals, not developers. They don't have authenticator apps. They barely check their email."

He was right. We had data showing that TOTP adoption in healthcare environments sits around 15-20%. Users abandon the setup process when they see a QR code. They call support when their codes don't work. They lose their backup codes and get locked out.

We needed a different approach, one that met HIPAA requirements while respecting that our users have patients to see, not security protocols to learn.

Why Claude Code Changed Everything

I've been using Claude Code for about six months now. When this MFA project started, I had about a month of experience with it. Before that, I used Claude's web interface for research and validating approaches.

This project was different. I needed to:

• Implement MFA for a healthcare platform under HIPAA

• Make it simple enough that non-technical users would actually complete the setup

• Add device trust so users don't verify every single login

• Do it fast. We had a penetration test scheduled.

Traditional approach? Probably two weeks of work. Research email OTP libraries, design the device trust system, build the frontend flows, write tests, and handle edge cases.

With Claude Code, I took a different approach: parallel exploration.

Instead of sequentially researching each component, I asked Claude Code to simultaneously:

• Analyze our existing authentication setup

• Research email OTP patterns that maintain security properties

• Design a device trust model for healthcare compliance

This wasn't "AI writes the code." This was using AI to compress my research time while I made architectural decisions.

The Technical Reality

What We Actually Built

Backend (Django):

• 4 new REST API endpoints for the email MFA flow

• A device trust model with browser fingerprinting

• Rate limiting to prevent abuse (3 codes per 5 minutes)

• Integration with an existing OTP library

• HIPAA-compliant audit logging for all MFA events

Frontend (React):

• Setup and verification components

• Device management interface for users to revoke trusted devices

• State management for the MFA flow

The Device Trust Model

This was the critical piece. Healthcare professionals often use the same workstation all day. Making them verify every login would be rejected immediately.

The solution: a trusted device system that remembers verified browsers for 30 days. Each device receives a secure token stored in an HTTP-only cookie, along with a fingerprint based on its browser characteristics.

The fingerprint isn't meant to be unbreakable. It's meant to detect when something changes. If you verified on Chrome and are now on Firefox, verify again. If your IP address has changed significantly, you should verify it again.

This balance (security without friction) is exactly what our product owner asked for.

Organization-Level Policies

One requirement that emerged mid-implementation: organizations needed to enforce MFA at the group level, not just for individual users.

We built a hierarchical policy system that allows organization admins to mandate MFA for all their users. Individual role-based policies (e.g., admins, coaches with patients, elevated roles) still apply, but organizational policy takes precedence.

This wasn't in the original spec. It emerged from a conversation about how healthcare organizations actually work. They need to enforce policies centrally, not user by user.

Where Claude Code Actually Helped (And Where It Didn't)

What Worked Exceptionally Well

1. Parallel Research

I asked Claude Code to explore multiple directions simultaneously:

• Analyzing our existing authentication setup

• Researching email OTP security patterns

• Designing the database schema for device trust

This compressed what would have been a day of research into about an hour.

2. Boilerplate Generation

The REST API views, the React form handling, and the state management. Claude Code generated these quickly and accurately. I reviewed, adjusted naming conventions to match our codebase, and moved on.

3. Test Coverage

Claude Code helped write comprehensive tests for edge cases I might have missed:

• Rate limiting boundary conditions

• Device fingerprint collision handling

• Token expiration edge cases

• Cross-timezone issues with device trust expiry

What Didn't Work

1. The Initial TOTP Implementation

My first session with Claude Code resulted in a comprehensive TOTP system, including QR code generation, backup codes, and more. It was technically correct and completely wrong for our users.

This wasn't Claude Code's fault. I provided the wrong requirements because I hadn't validated them with stakeholders first.

Lesson: AI amplifies your direction. If you're pointed at the wrong target, you'll hit it faster.

2. Circular Import Issues

When integrating the new MFA middleware, we hit circular import issues. Claude Code's first three suggestions didn't work because they didn't account for our specific project structure.

The fix came from understanding our codebase, rather than relying on generic patterns. I had to read the actual import chain and identify where the cycle was breaking.

3. Email Template Branding

The MFA verification emails needed to match each organization's branding (logo, colors, name). Claude Code generated a generic template system. Getting it to work with our existing branding infrastructure required manual integration and debugging.

The Pivot Moment

Here's the story I want other developers to hear:

I spent a full day with Claude Code implementing TOTP. QR codes, backup codes, authenticator app detection, the whole thing. Then our product owner looked at it and said, "Our users won't use this."

In the traditional development model, that's demoralizing. A day of work, gone. But here's the thing: that day with Claude Code produced more than just throwaway code.

With Claude Code, I asked: "We need to pivot from TOTP to email-based MFA. What can we reuse from the current implementation?"

Within 20 minutes, I had:

• A list of components that could be reused (OTP core, user model extensions, frontend routing)

• A list of components to remove (QR generation, backup code storage, TOTP-specific views)

• A migration plan that wouldn't break existing functionality

The pivot took hours, not days. That's the real value proposition: not that AI writes code for you, but that AI makes pivoting cheap.

Results

Implementation timeline:

• Original TOTP: 1 day (abandoned)

• Email MFA + Device Trust: 3 sessions over 2 days

• Testing and refinement: 1 day

• Total: ~4 days of actual work

Adoption rate:

• TOTP setup completion (industry average): ~20%

• Our email MFA setup completion: ~85%

Support tickets (first month):

• TOTP-related issues (before pivot): N/A

• Email MFA issues: 3 total (all user error, not system issues

Penetration test:

• Passed with no critical findings on MFA implementation

• Auditor specifically noted the rate limiting and device trust as "well-designed."

What I'd Do Differently

1. Validate with stakeholders before implementing

I should have shown the TOTP flow to our product owner before building it. AI facilitates rapid implementation, but it doesn't validate the requirements.

2. Start with the constraint, not the solution

"HIPAA-compliant MFA" isn't a constraint. "MFA that 85%+ of non-technical users will complete" is a constraint. The constraint would have led me to email MFA from day one.

3. Use Claude Code for architecture review earlier

Before writing any code, I asked Claude Code to analyze our existing auth system and propose integration points. I ended up discovering these anyway, but upfront analysis would have prevented some refactoring.

For Developers Considering AI-Assisted Development

Claude Code isn't a replacement for engineering judgment. It's a multiplier.

If you have clear requirements and understand your codebase, Claude Code can compress a week's worth of work into a few days. If your requirements are unclear, Claude Code will help you build the wrong thing faster.

The developers who will benefit most from AI coding assistants are the ones who:

• Can evaluate generated code critically

• Understand when AI suggestions don't fit their specific context

• Use AI for exploration and boilerplate, not for decisions they should make themselves

The real case study here isn't "AI wrote our MFA system." It's "AI let us pivot when our first approach was wrong, without losing momentum."

That's the actual value. That's what changed how I work.

The healthcare technology landscape demands both speed and security, a combination that's increasingly difficult to achieve with traditional development approaches alone. At Sancrisoft, we've integrated AI-assisted development into our workflows not as a replacement for engineering expertise, but as a force multiplier that lets us deliver production-grade, compliant systems faster without compromising quality. Our nearshore team in Medellín, Colombia operates in your timezone, understands HIPAA and regulatory requirements, and brings the kind of pragmatic, results-focused engineering approach you just read about.

Whether you're building healthcare platforms, modernizing security infrastructure, or facing compliance deadlines that traditional timelines can't meet, we bring proven experience implementing AI-augmented development processes that deliver measurable results. Schedule a consultation to discuss your security implementation needs, explore how our team approaches regulated development, or simply talk through technical challenges with engineers who've solved similar problems. No sales pitch, just honest technical conversation about what's actually possible when you combine strong engineering fundamentals with the right AI tools.