[ [0x20] Features ] Multi Factor Authentication

Multi Factor Authentication

> Add an extra layer of security with authenticator apps and backup codes.

Overview

[ [0x20] STATUS ]

Two-factor authentication (2FA) adds an extra step to logging in. After entering your password, you also need to provide a code from your phone. Even if someone steals your password, they can't access your account without your phone. Think of it like a bank vault with two locks - you need both keys to get in.

Features

[ [0x01] QR_CODE_SETU ]

STATUS: READY

DESC: Users scan a QR code with their authenticator app. Works with Google Authenticator, Authy, 1Password, and more.

[ [0x02] 6_DIGIT_TOTP ]

STATUS: READY

DESC: Standard TOTP codes that change every 30 seconds. RFC 6238 compliant.

[ [0x03] 10_BACKUP_CO ]

STATUS: READY

DESC: One-time use codes (XXXX-XXXX format) for account recovery if phone is lost.

[ [0x04] ENABLE/DISAB ]

STATUS: READY

DESC: Users can turn 2FA on or off from security settings with proper verification.

Setup

[ [0x01] CONFIGURE MFA ISSUER NAME ]

DESC: Customize the issuer name (shown in authenticator apps) in src/config.js

1// src/config.js
2
3export const config = {
4  auth: {
5    // This name appears in authenticator apps like:
6    // "YourApp (user@example.com)"
7    mfaIssuer: "YourApp",
8  },
9};

Usage

[ [0x38] USING THE MFA LIBRARY ]

The MFA functions are available in src/lib/auth/mfa.ts

1import {
2  generateTOTPSecret,
3  verifyTOTP,
4  generateBackupCodes,
5  verifyBackupCode,
6  hashBackupCode
7} from "@/lib/auth/mfa";
8
9// Generate a new TOTP secret for user setup
10const { secret, qrCodeUrl, otpAuthUrl } = await generateTOTPSecret(
11  "user@example.com",
12  "YourApp" // issuer name
13);
14
15// Verify a 6-digit code from authenticator app
16const isValid = verifyTOTP(userCode, secret);
17
18// Generate 10 backup codes (XXXX-XXXX format)
19const backupCodes = generateBackupCodes(10);
20
21// Hash backup codes before storing in database
22const hashedCodes = await Promise.all(
23  backupCodes.map(code => hashBackupCode(code))
24);
25
26// Verify a backup code (also handles marking it as used)
27const { valid, remainingCodes } = await verifyBackupCode(
28  submittedCode,
29  user.mfaBackupCodes
30);

[ [0x5E] CHECK IF USER HAS 2FA ENABLED ]

In your API routes

1// Check if user has 2FA enabled
2const user = await prisma.user.findUnique({
3  where: { id: session.user.id },
4  select: {
5    mfaEnabled: true,
6    mfaSecret: true,
7  },
8});
9
10if (user.mfaEnabled) {
11  // User has 2FA enabled
12  // Require verification before sensitive actions
13}
14
15// For sensitive operations, you might want to require
16// re-verification even for logged-in users:
17export async function deleteAccount(userId: string, mfaCode: string) {
18  const user = await prisma.user.findUnique({
19    where: { id: userId },
20  });
21
22  if (user.mfaEnabled) {
23    const isValid = verifyTOTP(mfaCode, decrypt(user.mfaSecret));
24    if (!isValid) {
25      throw new Error("Invalid 2FA code");
26    }
27  }
28
29  // Proceed with deletion
30}

Why Offer 2FA

[ [0xF5] WHY 2FA ]

Security Benefits

• Protects against password theft
• Stops credential stuffing attacks
• Required for many compliance standards
• Builds trust with security-conscious users

Business Benefits

• Enterprise customers often require it
• Reduces account takeover support tickets
• Differentiates you from competitors
• Shows you take security seriously

How 2FA Works

[ [0x2A] SETUP 2FA ]

Setting Up 2FA

User goes to Settings → Security
Clicks "Enable Two-Factor Authentication"
Scans QR code with authenticator app (or enters secret manually)
Enters the 6-digit code from their app to verify setup
Receives 10 backup codes to save somewhere safe
2FA is now enabled on their account

[ [0x0A] LOGIN WITH 2FA ]

Logging In With 2FA

User enters email and password as normal
If 2FA is enabled, they're asked for a verification code
User opens authenticator app and enters the current code
If code is correct, they're logged in

[ [0x28] BACKUP CODES ]

Lost Phone? Use Backup Code

On the verification screen, click "Use backup code"
Enter one of the 10 backup codes (format: XXXX-XXXX)
That code is now used up and won't work again
After logging in, set up a new authenticator and generate new backup codes

About Backup Codes

[ [0xB4] BACKUP INFO ]

Backup codes are essential for account recovery. They let users log in even if they lose access to their authenticator app (lost phone, new device, etc.).

Format

• 10 codes per user
• Format: XXXX-XXXX (8 characters)
• Each code works once only
• Shown only at setup time

Security

• Codes are hashed before storage
• Timing-safe comparison
• Used codes are removed
• Users should store securely

Common Questions

Which authenticator apps work?

Any app that supports TOTP (RFC 6238) works. Popular options include:

• Google Authenticator
• Authy
• 1Password
• Microsoft Authenticator
• Bitwarden

What if user loses phone?

They can use one of their 10 backup codes to log in. After logging in, they should:

Disable 2FA
Set up a new authenticator on their new phone
Re-enable 2FA (this generates new backup codes)

What if user loses phone AND backup codes?

This is a worst-case scenario. You have a few options:

• Require identity verification (ID upload, video call)
• Disable 2FA from admin panel after verification
• Implement an account recovery flow with security questions

This is why it's important to tell users to save their backup codes securely!

Can I require 2FA for all users?

2FA is opt-in by default. To require it, you'd add middleware that checks if user.mfaEnabled is true and redirects users to set it up if not. This is common for enterprise/admin users.

How are secrets stored?

TOTP secrets are encrypted before storage using your NEXTAUTH SECRET. Backup codes are hashed with SHA-256. Even if your database is compromised, attackers can't use the raw values.

Future Enhancements

The current implementation covers TOTP (authenticator apps). Future versions may include:

[ [0xA2] SMS VERIFICATION ]

SMS Verification

Text message codes as an alternative (requires Twilio integration).

[ [0x0D] WEBAUTHN PASSKEYS ]

WebAuthn/Passkeys

Hardware security keys and biometric authentication (Touch ID, Face ID).

Next Steps

[ [0x00] AUTHENTICATION BASICS ]

DESC: Learn about the core authentication system 2FA builds on.

[ [0x00] SECURITY HEADERS ]

DESC: Learn about security headers and CSRF protection.

Overview

[ [0x20] STATUS ]

Features

[ [0x01] QR_CODE_SETU ]

STATUS: READY

DESC: Users scan a QR code with their authenticator app. Works with Google Authenticator, Authy, 1Password, and more.

[ [0x02] 6_DIGIT_TOTP ]

STATUS: READY

DESC: Standard TOTP codes that change every 30 seconds. RFC 6238 compliant.

[ [0x03] 10_BACKUP_CO ]

STATUS: READY

DESC: One-time use codes (XXXX-XXXX format) for account recovery if phone is lost.

[ [0x04] ENABLE/DISAB ]

STATUS: READY

DESC: Users can turn 2FA on or off from security settings with proper verification.

Usage

[ [0x38] USING THE MFA LIBRARY ]

The MFA functions are available in src/lib/auth/mfa.ts

1import {
2  generateTOTPSecret,
3  verifyTOTP,
4  generateBackupCodes,
5  verifyBackupCode,
6  hashBackupCode
7} from "@/lib/auth/mfa";
8
9// Generate a new TOTP secret for user setup
10const { secret, qrCodeUrl, otpAuthUrl } = await generateTOTPSecret(
11  "user@example.com",
12  "YourApp" // issuer name
13);
14
15// Verify a 6-digit code from authenticator app
16const isValid = verifyTOTP(userCode, secret);
17
18// Generate 10 backup codes (XXXX-XXXX format)
19const backupCodes = generateBackupCodes(10);
20
21// Hash backup codes before storing in database
22const hashedCodes = await Promise.all(
23  backupCodes.map(code => hashBackupCode(code))
24);
25
26// Verify a backup code (also handles marking it as used)
27const { valid, remainingCodes } = await verifyBackupCode(
28  submittedCode,
29  user.mfaBackupCodes
30);

[ [0x5E] CHECK IF USER HAS 2FA ENABLED ]

In your API routes

1// Check if user has 2FA enabled
2const user = await prisma.user.findUnique({
3  where: { id: session.user.id },
4  select: {
5    mfaEnabled: true,
6    mfaSecret: true,
7  },
8});
9
10if (user.mfaEnabled) {
11  // User has 2FA enabled
12  // Require verification before sensitive actions
13}
14
15// For sensitive operations, you might want to require
16// re-verification even for logged-in users:
17export async function deleteAccount(userId: string, mfaCode: string) {
18  const user = await prisma.user.findUnique({
19    where: { id: userId },
20  });
21
22  if (user.mfaEnabled) {
23    const isValid = verifyTOTP(mfaCode, decrypt(user.mfaSecret));
24    if (!isValid) {
25      throw new Error("Invalid 2FA code");
26    }
27  }
28
29  // Proceed with deletion
30}

Why Offer 2FA

[ [0xF5] WHY 2FA ]

Security Benefits

• Protects against password theft
• Stops credential stuffing attacks
• Required for many compliance standards
• Builds trust with security-conscious users

Business Benefits

• Enterprise customers often require it
• Reduces account takeover support tickets
• Differentiates you from competitors
• Shows you take security seriously

How 2FA Works

[ [0x2A] SETUP 2FA ]

Setting Up 2FA

User goes to Settings → Security
Clicks "Enable Two-Factor Authentication"
Scans QR code with authenticator app (or enters secret manually)
Enters the 6-digit code from their app to verify setup
Receives 10 backup codes to save somewhere safe
2FA is now enabled on their account

[ [0x0A] LOGIN WITH 2FA ]

Logging In With 2FA

User enters email and password as normal
If 2FA is enabled, they're asked for a verification code
User opens authenticator app and enters the current code
If code is correct, they're logged in

[ [0x28] BACKUP CODES ]

Lost Phone? Use Backup Code

On the verification screen, click "Use backup code"
Enter one of the 10 backup codes (format: XXXX-XXXX)
That code is now used up and won't work again
After logging in, set up a new authenticator and generate new backup codes

About Backup Codes

[ [0xB4] BACKUP INFO ]

Backup codes are essential for account recovery. They let users log in even if they lose access to their authenticator app (lost phone, new device, etc.).

Format

• 10 codes per user
• Format: XXXX-XXXX (8 characters)
• Each code works once only
• Shown only at setup time

Security

• Codes are hashed before storage
• Timing-safe comparison
• Used codes are removed
• Users should store securely

Common Questions

Which authenticator apps work?

Any app that supports TOTP (RFC 6238) works. Popular options include:

• Google Authenticator
• Authy
• 1Password
• Microsoft Authenticator
• Bitwarden

What if user loses phone?

They can use one of their 10 backup codes to log in. After logging in, they should:

Disable 2FA
Set up a new authenticator on their new phone
Re-enable 2FA (this generates new backup codes)

What if user loses phone AND backup codes?

This is a worst-case scenario. You have a few options:

• Require identity verification (ID upload, video call)
• Disable 2FA from admin panel after verification
• Implement an account recovery flow with security questions

This is why it's important to tell users to save their backup codes securely!

Can I require 2FA for all users?

2FA is opt-in by default. To require it, you'd add middleware that checks if user.mfaEnabled is true and redirects users to set it up if not. This is common for enterprise/admin users.

How are secrets stored?

TOTP secrets are encrypted before storage using your NEXTAUTH SECRET. Backup codes are hashed with SHA-256. Even if your database is compromised, attackers can't use the raw values.

Future Enhancements

The current implementation covers TOTP (authenticator apps). Future versions may include:

[ [0xA2] SMS VERIFICATION ]

SMS Verification

Text message codes as an alternative (requires Twilio integration).

[ [0x0D] WEBAUTHN PASSKEYS ]

WebAuthn/Passkeys

Hardware security keys and biometric authentication (Touch ID, Face ID).