Two-Factor Authentication Scope
When implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), it's important to understand the scope and how it affects the user session.
When implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), it's important to understand the scope and how it affects the user session.
Session State
When a user with 2FA enabled logs in with their primary credential (e.g., email/password or OAuth), Better Auth creates a temporary session. This session is marked as requiring 2FA.
During this state:
- The user is not fully authenticated.
- They cannot access protected routes or API endpoints.
- The client application must detect this state and route the user to a 2FA verification screen.
Verification Process
- The user enters their Time-Based One-Time Password (TOTP).
- The client sends this code to the Better Auth backend for verification.
- If successful, the temporary session is elevated to a fully authenticated session.
- The user is then redirected to their intended destination within the application.
Best Practices
- Clear Messaging: Ensure the UI clearly communicates that an additional step is required before the login is complete.
- Graceful Fallbacks: If a user loses access to their authenticator app, consider implementing recovery codes as a backup method.
- Session Duration: Consider whether 2FA verification should be required every time a user logs in, or if you want to allow them to "remember this device" for a certain period. This can be configured within Better Auth session settings.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide two forms of verification before accessing their accounts. The starter supports Time-Based One-Time Passwords (TOTP) natively using Better Auth.
Sensitive Actions
Certain actions in your application, like deleting an account, changing a password, or updating billing information, are highly sensitive. To protect these actions from session hijacking or an unattended terminal, you should require users to re-authenticate or verify their identity.