#Web Development #Security #Authentication #Best Practices #API

Implement Two-Factor Authentication (2FA) Simply

Namir Ahmed
Namir Ahmed
4 min read
Two-factor authentication flowchart for an article by Atlanta based Software Engineer, Namir Ahmed.

Adding Two-Factor Authentication (2FA) to your applications is a super important step in protecting user data. It’s not as complicated as it might sound, and the peace of mind it gives your users is well worth the effort. Let’s break down how you can implement it.

What is 2FA, Really?

At its core, 2FA means a user has to provide two different types of proof to log in. Think of it like needing your key and a PIN to get into a secure building. The common factors are:

  1. Something you know: Your password.
  2. Something you have: A phone, a security key.
  3. Something you are: Your fingerprint, facial scan (less common for web apps).

For most web applications, we’re usually combining a password (something you know) with a code from a phone app or SMS (something you have).

Choosing Your 2FA Method

There are a few popular ways to go:

  • Authenticator Apps (TOTP): This is probably the most common and recommended. Apps like Google Authenticator or Authy generate time-based one-time passwords (TOTP). They’re secure and don’t rely on SMS.
  • SMS Codes: Sending a code via text message. It’s convenient but less secure because SMS can be intercepted.
  • Hardware Security Keys: Physical keys like YubiKey. Very secure but can be expensive and less accessible for all users.

For this guide, we’ll focus on Authenticator Apps (TOTP), as it’s a great balance of security and user experience.

Implementing TOTP 2FA

Implementing TOTP involves a few key steps. You’ll need a backend service and some user interface.

Backend Setup

Most backend languages or frameworks have libraries to help with TOTP. Let’s imagine a Node.js example using the speakeasy library.

First, install the library:

Terminal window
npm install speakeasy qrcode-generator

When a user enables 2FA for the first time, you need to generate a unique secret key for them. This key is what the authenticator app will use to generate codes. You also need to provide a way for the user to scan a QR code that contains this secret.

const speakeasy = require('speakeasy');
const qrcode = require('qrcode');


// Generate a secret for the user
const secret = speakeasy.generateSecret({
  name: 'YourAppName:user@example.com' // Personalize this
});


// Store this secret securely in your database, linked to the user.
console.log('User Secret:', secret.base32);


// Generate a QR code URL
qrcode.toDataURL(secret.otpauth_url, (err, dataUrl) => {
  if (err) {
    console.error('Error generating QR code:', err);
    return;
  }
  // Send this dataUrl to the frontend for the user to scan
  console.log('QR Code Data URL:', dataUrl);
});


// --- When the user is verifying their authenticator app setup ---
function verifyFirstTimeSetup(userId, token) {
  const userSecret = getUserSecretFromDB(userId); // Retrieve the stored secret
  const verified = speakeasy.verify({
    secret: userSecret,
    encoding: 'base32',
    token: token, // The 6-digit code from the user's authenticator app
    window: 1 // Allows for a small time window.
  });
  if (verified) {
    // Mark 2FA as enabled for the user
    console.log('2FA setup successful!');
  } else {
    console.log('2FA setup failed. Invalid code.');
  }
}

Important: Store the secret.base32 value securely associated with your user. You’ll need it later.

Frontend Interaction

On the frontend, when a user wants to set up 2FA, you’ll display the QR code image generated by the backend. The user scans this with their authenticator app. After scanning, the app will start generating 6-digit codes. The user then enters one of these codes back into your application to confirm the setup.

Login Flow with 2FA

Once 2FA is set up, the login process changes:

  1. User enters username and password.
  2. Backend verifies username and password.
  3. If valid, the backend prompts for the 2FA code.
  4. User enters the 6-digit code from their authenticator app.
  5. Backend uses speakeasy.verify() (similar to the setup verification) to check the code against the user’s stored secret.
  6. If the code is valid, the user is logged in.
// --- During login verification ---
function verifyLoginCode(userId, code) {
  const userSecret = getUserSecretFromDB(userId);
  const verified = speakeasy.verify({
    secret: userSecret,
    encoding: 'base32',
    token: code, // The 6-digit code from the user's app
    window: 1
  });
  return verified;
}

Recovery Codes

Always provide users with recovery codes. These are one-time use codes that let them log in if they lose access to their authenticator app. Generate these when 2FA is first enabled and let the user store them somewhere safe. This is a crucial fallback.

Final Thoughts

Implementing 2FA is a significant security upgrade. By using TOTP with libraries like speakeasy, you can provide a robust security layer for your users without making the process overly complex. Remember to handle secrets securely, provide clear instructions, and always include recovery options. Your users will thank you for it.

Back to Blog
← Previous Article Snapshot Testing: A Trap for Developers Next Article → Why Zustand is the Only State Manager You Need

Contents

Need to Message Me?

Let's Talk!