two-factor-authentication-best-practices
Multi-factor authentication with TOTP, OTP, backup codes, and trusted device management for Better Auth.
- Supports three verification methods: authenticator apps (TOTP with QR codes), email/SMS codes (OTP), and single-use backup codes
- Handles complete 2FA sign-in flows with automatic session management, temporary 2FA cookies, and trusted device tracking with configurable expiration
- Built-in security features including rate limiting (3 requests per 10 seconds), encryption at rest for secrets and backup codes, and constant-time code comparison
- Configurable code parameters: TOTP digits (6 or 8), OTP validity period, backup code count and length, and custom encryption for OTP storage
Setup
- Add
twoFactor()plugin to server config withissuer - Add
twoFactorClient()plugin to client config - Run
npx @better-auth/cli migrate - Verify: check that
twoFactorSecretcolumn exists on user table
import { betterAuth } from "better-auth";
import { twoFactor } from "better-auth/plugins";
export const auth = betterAuth({
appName: "My App",
plugins: [
twoFactor({
issuer: "My App",
}),
],
});
More from better-auth/skills
better-auth-best-practices
Configure Better Auth server and client, set up database adapters, manage sessions, add plugins, and handle environment variables. Use when users mention Better Auth, betterauth, auth.ts, or need to set up TypeScript authentication with email/password, OAuth, or plugin configuration.
48.9Kcreate-auth-skill
Scaffold and implement authentication in TypeScript/JavaScript apps using Better Auth. Detect frameworks, configure database adapters, set up route handlers, add OAuth providers, and create auth UI pages. Use when users want to add login, sign-up, or authentication to a new or existing project with Better Auth.
20.3Kemail-and-password-best-practices
Configure email verification, implement password reset flows, set password policies, and customise hashing algorithms for Better Auth email/password authentication. Use when users need to set up login, sign-in, sign-up, credential authentication, or password security with Better Auth.
15.5Korganization-best-practices
Configure multi-tenant organizations, manage members and invitations, define custom roles and permissions, set up teams, and implement RBAC using Better Auth's organization plugin. Use when users need org setup, team management, member roles, access control, or the Better Auth organization plugin.
14.4Kemail & password best practices
This skill provides guidance and enforcement rules for implementing secure email and password authentication using Better Auth.
2organization best practices
Configure multi-tenant organizations, manage members and invitations, define custom roles and permissions, set up teams, and implement RBAC using Better Auth's organization plugin. Use when users need org setup, team management, member roles, access control, or the Better Auth organization plugin.
1