Configure TOTP authenticator apps, send OTP codes via email/SMS, manage backup codes, handle trusted devices, and implement 2FA sign-in flows using Better…
Multi-factor authentication with TOTP, OTP, backup codes, and trusted device management for Better Auth.
Supports three verification methods: authenticator apps (TOTP with QR codes), email/SMS codes (OTP), and single-use backup codes
Handles complete 2FA sign-in flows with automatic session management, temporary 2FA cookies, and trusted device tracking with configurable expiration
Built-in security features including rate limiting (3 requests per 10 seconds), encryption at rest for secrets and backup codes, and constant-time code comparison
Configurable code parameters: TOTP digits (6 or 8), OTP validity period, backup code count and length, and custom encryption for OTP storage
Setup
Add twoFactor() plugin to server config with issuer
Add twoFactorClient() plugin to client config
Run npx @better-auth/cli@latest migrate (built-in adapter) or generate + push for Drizzle/Prisma
Verify: check that twoFactorSecret column exists on user table
import { betterAuth } from "better-auth";
import { twoFactor } from "better-auth/plugins";don't have the plugin yet? install it then click "run inline in claude" again.