Spring Security 7 dropped at Spring I/O 2026. Daniel Erno from the Spring Security team gave a talk covering the biggest changes. Here's what matters if you're building Java apps with Spring Boot.
Multi-Factor Authentication (MFA) — The Big One
This feature was requested 12 years ago (issue #2603, opened November 2013). It finally shipped.
What it does: You can now enforce MFA at the application level or per-endpoint. Spring Security tracks which authentication factors each user has completed and when they authenticated.
Key classes:











