Two‑Factor Authentication Flow
Step‑by‑step UX for enrolling a TOTP authenticator and completing a challenge — no third‑party auth providers.
Setup
Generate secret
Server creates a cryptographically random 20‑byte secret, stores it pending verification, and returns aotpauth://URI.
Display QR + backup codes
Render the URI as a QR code. Show eight one‑time backup codes the user must copy and store offline.
Verify TOTP
Prompt for a 6‑digit code. Server validates against the pending secret with ±1 step window. On success, persist the secret and mark 2FA active.
Confirm backup codes
Require the user to re‑enter one random backup code to prove they saved them before completing enrollment.
Challenge
Intercept post‑login
After password auth succeeds, if 2FA is active issue a short‑lived intermediate token and redirect to the challenge page.
Collect code
Render a 6‑digit input. Accept TOTP codes or backup codes. Rate‑limit attempts per intermediate token.
Validate & issue session
Server verifies the code. On success, exchange the intermediate token for a full session. Consume backup codes on use.
Fallback paths
Offer “use backup code” toggle. If all backup codes are exhausted, guide the user to account recovery with identity verification.
Security note: Secrets are stored AES‑256‑GCM encrypted at rest. TOTP windows use ±1 step (30 s each) to tolerate minor clock drift. Backup codes are hashed with SHA‑256 before storage — plaintext is shown only once.