Security 1,174 installs

two-factor-authentication-best-practices

by better-auth/skills

Configure TOTP authenticator apps, send OTP codes via email/SMS, manage backup codes, handle trusted devices, and implement 2FA sign-in flows using Better…

Skill content

Multi-factor authentication with TOTP, OTP, backup codes, and trusted device management for Better Auth.

- Supports three verification methods: authenticator apps (TOTP with QR codes), email/SMS codes (OTP), and single-use backup codes

- Handles complete 2FA sign-in flows with automatic session management, temporary 2FA cookies, and trusted device tracking with configurable expiration

- Built-in security features including rate limiting (3 requests per 10 seconds), encryption at rest for secrets and backup codes, and constant-time code comparison

- Configurable code parameters: TOTP digits (6 or 8), OTP validity period, backup code count and length, and custom encryption for OTP storage

Setup

- Add twoFactor() plugin to server config with issuer

- Add twoFactorClient() plugin to client config

- Run npx @better-auth/cli migrate

- Verify: check that twoFactorSecret column exists on user table

import { betterAuth } from "better-auth";
import { twoFactor } from "better-auth/plugins";