Leave Localhost logoLeave LocalhostDocs
Authentication

Two-Factor Authentication Scope

When implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), it's important to understand the scope and how it affects the user session.

When implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), it's important to understand the scope and how it affects the user session.

Session State

When a user with 2FA enabled logs in with their primary credential (e.g., email/password or OAuth), Better Auth creates a temporary session. This session is marked as requiring 2FA.

During this state:

  1. The user is not fully authenticated.
  2. They cannot access protected routes or API endpoints.
  3. The client application must detect this state and route the user to a 2FA verification screen.

Verification Process

  1. The user enters their Time-Based One-Time Password (TOTP).
  2. The client sends this code to the Better Auth backend for verification.
  3. If successful, the temporary session is elevated to a fully authenticated session.
  4. The user is then redirected to their intended destination within the application.

Best Practices

  • Clear Messaging: Ensure the UI clearly communicates that an additional step is required before the login is complete.
  • Graceful Fallbacks: If a user loses access to their authenticator app, consider implementing recovery codes as a backup method.
  • Session Duration: Consider whether 2FA verification should be required every time a user logs in, or if you want to allow them to "remember this device" for a certain period. This can be configured within Better Auth session settings.

On this page