Level: Easy

Napkin-math based on lines added — not a strict rule. Tests, guides, and lockfiles are omitted for better accuracy (closer to SLOC than raw diff).

Two Factor / TOTP Backup Codes

Jump to file

∟ mix.exs
∟ config/config.exs
∟ lib/my_app/accounts.ex
∟ lib/my_app/accounts/user.ex
∟ lib/my_app/accounts/user_token.ex
∟ lib/my_app_web/live/user_live/settings.ex
∟ lib/my_app_web/live/user_live/totp_verify.ex
∟ lib/my_app_web/router.ex
∟ lib/my_app_web/user_auth.ex
∟ priv/repo/migrations/0001_alter_auth_tables_add_totp.exs

Install deps

Install the following dependencies to get started. You can find their documentation on HexDocs.

NimbleTOTP: hexdocs.pm/nimble_totp
EQRCode: hexdocs.pm/eqrcode

mix.exs Reveal

	`-40,6 +40,8 @@ defmodule MyApp.MixProject do`
	# Type `mix help deps` for examples and options.
	`defp deps do`
	`[`
+	`{:nimble_totp, "~> 0.1.0"},`
+	`{:eqrcode, "~> 0.1.10"},`
	`{:bcrypt_elixir, "~> 3.0"},`
	`{:phoenix, "~> 1.8.3"},`
	`{:phoenix_ecto, "~> 4.5"},`

Configure TOTP

The "issuer" we configure here will be what shows up in user authenticator apps. Without it, they would not be able to tell the user which code is for which app.

config/config.exs Reveal

	`-44,6 +44,10 @@ config :my_app, MyAppWeb.Endpoint,`
	# at the `config/runtime.exs`.
	`config :my_app, MyApp.Mailer, adapter: Swoosh.Adapters.Local`

+	`# Configure TOTP issuer, this is the name that will show up in user`
+	`# authenticator apps.`
+	`config :my_app, :totp, issuer: "MyApp"`
+
	`# Configure esbuild (the version is required)`
	`config :esbuild,`
	`version: "0.25.4",`

Set up accounts context

There are a few capabilities that we need to add to the Accounts context (or Users context, depending on your project).

First, we must generate a new TOTP secret for a user that wants to set up 2FA. This secret is generated by NimbleTOTP , we need it to generate and verify the familiar six-digit codes for users. This is done by totp_secret() , and will be stored in the User struct later on.

We also need to know what state a user is in, regarding their TOTP status. We'll do this with two functions: totp_enabled?(user) and totp_verified?(user, opts) . A user has TOTP "enabled" if we've assigned a secret to them. Posessing a secret implies that they have enabled and verified it, as we otherwise would not save the secret to their record.

Checking if a user is currently "verified" with respect to TOTP involves a few checks. We check if they have TOTP enabled at all, and simply return true if they do not. If TOTP is enabled, we check if their current session has ever verified successfully. Finally, if they have verified at some time in the past, we can check to see if that date is within some duration. Here, we use a 24 hour period before verification is no longer valid.

So, how do we actually go about enabling TOTP? To do that we need to build an auth URI, and then encode that as a data URI that will render a QR code. This is what TOTP apps scan in order to obtain your secret, and generate codes. You can see how this works in totp_data_uri(user, totp_secret) .

Next, we'll need some way to verify that a TOTP is correct, prior to enabling it for a user. We'll use NimbleTOTP.valid?/3 to check validity in our verify_session_totp(token, totp_secret, verification_code) function. This function accepts parameters that allow us to check that a code is valid for the given secret, and was generated no more than 30 seconds ago. This time restriction is important, as we don't want to accept old codes. The function also updates the current session with the time of verification. Note that this value is stored on the session and not the user record. This means that new sessions will be required to go through TOTP verification.

Now, to enable TOTP officially for a user, we just have to use our verification function, and set the generated secret on our user if it succeeds.

If we ever want to remove TOTP for a user, we just have to delete the stored secret. You can see that this is exactly what's done in disable_user_totp(user) .

lib/my_app/accounts.ex Reveal

	`-294,4 +294,104 @@ defmodule MyApp.Accounts do`
	`end`
	`end)`
	`end`
+
+	`## TOTP authentication`
+
+	`@doc """`
+	`Returns a new TOTP secret.`
+	`"""`
+	`def totp_secret(), do: NimbleTOTP.secret()`
+
+	`@doc """`
+	`Returns true if a user has TOTP authentication enabled.`
+	`"""`
+	`def totp_enabled?(user), do: user.totp_secret != nil`
+
+	`@doc """`
+	`Returns true if the TOTP requirements for a user are met. Requires that the user`
+	`was loaded via a session token query.`
+	`"""`
+	`def totp_verified?(user, opts \\ []) do`
+	`cond do`
+	`not totp_enabled?(user) ->`
+	`true`
+
+	`user.totp_verified_at == nil ->`
+	`false`
+
+	`true ->`
+	`since = Keyword.get(opts, :since, 24)`
+	`now = DateTime.utc_now()`
+	`DateTime.diff(now, user.totp_verified_at, :hour) < since`
+	`end`
+	`end`
+
+	`@doc """`
+	`Returns a data URI to render the QR code for a given TOTP secret.`
+	`"""`
+	`def totp_data_uri(user, totp_secret) when is_binary(totp_secret) do`
+	`config = Application.fetch_env!(:my_app, :totp)`
+
+	`data =`
+	`NimbleTOTP.otpauth_uri(user.email, totp_secret, issuer: Keyword.fetch!(config, :issuer))`
+
+	`encoded =`
+	`data`
+	`\|> EQRCode.encode()`
+	`\|> EQRCode.png()`
+	`\|> Base.encode64()`
+
+	`"data:image/png;base64," <> encoded`
+	`end`
+
+	`@doc """`
+	`Enables TOTP for a user given a session token, a new TOTP secret, and a valid verification code.`
+	`"""`
+	`def enable_user_totp(user, token, totp_secret, verification_code) do`
+	`Repo.transaction(fn ->`
+	`case verify_session_totp(token, totp_secret, verification_code) do`
+	`:ok ->`
+	`user`
+	`\|> Ecto.Changeset.change(totp_secret: totp_secret)`
+	`\|> Repo.update!()`
+
+	`{:error, reason} ->`
+	`Repo.rollback(reason)`
+	`end`
+	`end)`
+	`end`
+
+	`@doc """`
+	`Disables TOTP for a user. Assumes that TOTP has already been verified.`
+	`"""`
+	`def disable_user_totp(user) do`
+	`Repo.transaction(fn ->`
+	`Repo.update_all(`
+	`from(UserToken, where: [user_id: ^user.id, context: "session"]),`
+	`set: [totp_verified_at: nil]`
+	`)`
+
+	`user`
+	`\|> Ecto.Changeset.change(totp_secret: nil)`
+	`\|> Repo.update!()`
+	`end)`
+	`end`
+
+	`@doc """`
+	`Verifies TOTP for a user session given a TOTP secret and a valid verification code.`
+	`"""`
+	`def verify_session_totp(token, totp_secret, verification_code) when is_binary(token) do`
+	`since = DateTime.add(DateTime.utc_now(), -30, :second)`
+
+	`if NimbleTOTP.valid?(totp_secret, verification_code, since: since) do`
+	`Repo.update_all(`
+	`UserToken.by_token_and_context_query(token, "session"),`
+	`set: [totp_verified_at: DateTime.truncate(DateTime.utc_now(), :second)]`
+	`)`
+
+	`:ok`
+	`else`
+	`{:error, :invalid_code}`
+	`end`
+	`end`
	`end`

Add new fields to User schema

We have two fields to add to our User schema:

lib/my_app/accounts/user.ex Reveal

	`-10,6 +10,8 @@ defmodule MyApp.Accounts.User do`
	`field :hashed_password, :string, redact: true`
	`field :confirmed_at, :utc_datetime`
	`field :authenticated_at, :utc_datetime, virtual: true`
+	`field :totp_secret, :binary, redact: true`
+	`field :totp_verified_at, :utc_datetime, virtual: true`

	`timestamps(type: :utc_datetime)`
	`end`

Add new fields to UserToken schema

Here we need to add :totp_verified_at to our token schema. As mentioned, this will indicate when TOTP was last verified for the current session. In the query that fetches our user by session token, we update the :select call to populate :totp_verified_at into the corresponding virtual field in our user struct.

We also make by_token_and_context_query/2 public so it can be called from the Accounts context when updating TOTP verification status.

lib/my_app/accounts/user_token.ex Reveal

	`-19,6 +19,7 @@ defmodule MyApp.Accounts.UserToken do`
	`field :context, :string`
	`field :sent_to, :string`
	`field :authenticated_at, :utc_datetime`
+	`field :totp_verified_at, :utc_datetime`
	`belongs_to :user, MyApp.Accounts.User`

	`timestamps(type: :utc_datetime, updated_at: false)`
	`-62,7 +63,12 @@ defmodule MyApp.Accounts.UserToken do`
	`from token in by_token_and_context_query(token, "session"),`
	`join: user in assoc(token, :user),`
	`where: token.inserted_at > ago(@session_validity_in_days, "day"),`
-	`select: {%{user \| authenticated_at: token.authenticated_at}, token.inserted_at}`
+	`select:`
+	`{%{`
+	`user`
+	`\| authenticated_at: token.authenticated_at,`
+	`totp_verified_at: token.totp_verified_at`
+	`}, token.inserted_at}`

	`{:ok, query}`
	`end`
	`-152,7 +158,7 @@ defmodule MyApp.Accounts.UserToken do`
	`end`
	`end`

-	`defp by_token_and_context_query(token, context) do`
+	`def by_token_and_context_query(token, context) do`
	`from UserToken, where: [token: ^token, context: ^context]`
	`end`
	`end`

Enabling & disabling in user settings

Here, we update the Settings LiveView to allow a user to enable, confirm, and disable TOTP.

We start with an "Enable" button if the user does not have TOTP enabled. When the button is clicked, generate a TOTP secret and change the page state to :verifying .

Now, the user will have to scan the QR displayed with their TOTP app, and submit a valid code to move to the next step.

Once a code has been verified and the secret saved to the users account, they may opt to disable TOTP, deleting the secret from their account.

Note that we also grab the user_token from the session in mount, as we need it to update the TOTP verification status.

lib/my_app_web/live/user_live/settings.ex Reveal

	`-62,6 +62,30 @@ defmodule MyAppWeb.UserLive.Settings do`
	`Save Password`
	`</.button>`
	`</.form>`
+
+	`<div class="divider" />`
+
+	`<.button :if={@totp_state == :disabled} phx-click="enable_totp">`
+	`Enable Two-Factor Authentication`
+	`</.button>`
+
+	`<.button :if={@totp_state == :enabled} phx-click="disable_totp">`
+	`Disable Two-Factor Authentication`
+	`</.button>`
+
+	`<.form`
+	`:if={@totp_state == :verifying}`
+	`for={@totp_form}`
+	`id="totp_form"`
+	`phx-submit="verify_totp"`
+	`>`
+	`<img`
+	`src={Accounts.totp_data_uri(@current_scope.user, @totp_secret)}`
+	`class="mb-4 h-64 inline-block border border-zinc-300 rounded-lg"`
+	`/>`
+	`<.input field={@totp_form[:code]} label="Verification code" required />`
+	`<.button phx-disable-with="Verifying...">Verify & Enable</.button>`
+	`</.form>`
	`</Layouts.app>`
	`"""`
	`end`
	`-80,17 +104,20 @@ defmodule MyAppWeb.UserLive.Settings do`
	`{:ok, push_navigate(socket, to: ~p"/users/settings")}`
	`end`

-	`def mount(_params, _session, socket) do`
+	`def mount(_params, %{"user_token" => user_token}, socket) do`
	`user = socket.assigns.current_scope.user`
	`email_changeset = Accounts.change_user_email(user, %{}, validate_unique: false)`
	`password_changeset = Accounts.change_user_password(user, %{}, hash_password: false)`

	`socket =`
	`socket`
+	`\|> assign(:user_token, user_token)`
	`\|> assign(:current_email, user.email)`
	`\|> assign(:email_form, to_form(email_changeset))`
	`\|> assign(:password_form, to_form(password_changeset))`
	`\|> assign(:trigger_submit, false)`
+	`\|> assign(:totp_form, to_form(%{}, as: :totp))`
+	`\|> assign(:totp_state, if(Accounts.totp_enabled?(user), do: :enabled, else: :disabled))`

	`{:ok, socket}`
	`end`
	`-154,4 +181,47 @@ defmodule MyAppWeb.UserLive.Settings do`
	`{:noreply, assign(socket, password_form: to_form(changeset, action: :insert))}`
	`end`
	`end`
+
+	`## TOTP settings`
+
+	`def handle_event("enable_totp", _params, socket) do`
+	`socket =`
+	`socket`
+	`\|> assign(:totp_state, :verifying)`
+	`\|> assign(:totp_secret, Accounts.totp_secret())`
+
+	`{:noreply, socket}`
+	`end`
+
+	`def handle_event("disable_totp", _params, socket) do`
+	`{:ok, user} = Accounts.disable_user_totp(socket.assigns.current_scope.user)`
+
+	`socket =`
+	`socket`
+	`\|> assign(:current_scope, %{socket.assigns.current_scope \| user: user})`
+	`\|> assign(:totp_state, :disabled)`
+	`\|> put_flash(:info, "Disabled two-factor authentication.")`
+
+	`{:noreply, socket}`
+	`end`
+
+	`def handle_event("verify_totp", %{"totp" => %{"code" => code}}, socket) do`
+	`user = socket.assigns.current_scope.user`
+	`user_token = socket.assigns.user_token`
+	`totp_secret = socket.assigns.totp_secret`
+
+	`case Accounts.enable_user_totp(user, user_token, totp_secret, code) do`
+	`{:ok, user} ->`
+	`socket =`
+	`socket`
+	`\|> assign(:current_scope, %{socket.assigns.current_scope \| user: user})`
+	`\|> assign(:totp_state, :enabled)`
+	`\|> put_flash(:info, "Enabled two-factor authentication.")`
+
+	`{:noreply, socket}`
+
+	`{:error, :invalid_code} ->`
+	`{:noreply, put_flash(socket, :error, "Invalid two-factor verification code.")}`
+	`end`
+	`end`
	`end`

Verifying TOTP codes

To verify TOTP for a users session, we accept a code from them and verify it on the backend. Because this updates the :totp_verified_at field on their session, we can redirect them to where they wanted to go and they should now be allowed.

lib/my_app_web/live/user_live/totp_verify.ex Reveal

	`-0,0 +1,59 @@`
+	`defmodule MyAppWeb.UserLive.TotpVerify do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Accounts`
+
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<div class="mx-auto max-w-sm">`
+	`<div class="text-center">`
+	`<.header>`
+	`Two-factor auth required`
+	`<:subtitle>`
+	`Sign in to your verification app to find the code.`
+	`</:subtitle>`
+	`</.header>`
+	`</div>`
+
+	`<.form for={@form} id="verify_totp_form" phx-submit="save">`
+	`<.input`
+	`field={@form[:code]}`
+	`label="Verification code"`
+	`autocomplete="off"`
+	`required`
+	`phx-mounted={JS.focus()}`
+	`/>`
+
+	`<.button phx-disable-with="Verifying..." class="btn btn-primary w-full">`
+	`Verify`
+	`</.button>`
+	`</.form>`
+	`</div>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`def mount(_params, %{"user_token" => user_token} = session, socket) do`
+	`socket =`
+	`socket`
+	`\|> assign(:user_token, user_token)`
+	`\|> assign(:return_to, session["user_return_to"] \|\| ~p"/")`
+	`\|> assign(:form, to_form(%{}, as: "totp"))`
+
+	`{:ok, socket}`
+	`end`
+
+	`def handle_event("save", %{"totp" => %{"code" => code}}, socket) do`
+	`user = socket.assigns.current_scope.user`
+	`user_token = socket.assigns.user_token`
+
+	`case Accounts.verify_session_totp(user_token, user.totp_secret, code) do`
+	`:ok ->`
+	`{:noreply, push_navigate(socket, to: socket.assigns.return_to)}`
+
+	`{:error, :invalid_code} ->`
+	`{:noreply, put_flash(socket, :error, "Invalid two-factor verification code.")}`
+	`end`
+	`end`
+	`end`

Authentication in your router

In your router, we'll use new plugs and on_mount hooks to authenticate against TOTP status. We create a new live_session with the :require_verified_totp on_mount hook for routes that require TOTP verification.

The TOTP verification page itself only requires authentication (not TOTP verification), so it lives in the :require_authenticated_user live_session.

You can mix and match these so that some routes only require password authentication, while other, more secure, routes require TOTP. GitHub does this for accessing your settings.

lib/my_app_web/router.ex Reveal

	`-52,6 +52,18 @@ defmodule MyAppWeb.Router do`

	`live_session :require_authenticated_user,`
	`on_mount: [{MyAppWeb.UserAuth, :require_authenticated}] do`
+	`live "/users/verify-totp", UserLive.TotpVerify, :verify`
+	`end`
+	`end`
+
+	`scope "/", MyAppWeb do`
+	`pipe_through [:browser, :require_authenticated_user, :require_verified_totp]`
+
+	`live_session :require_verified_totp_user,`
+	`on_mount: [`
+	`{MyAppWeb.UserAuth, :require_authenticated},`
+	`{MyAppWeb.UserAuth, :require_verified_totp}`
+	`] do`
	`live "/users/settings", UserLive.Settings, :edit`
	`live "/users/settings/confirm-email/:token", UserLive.Settings, :confirm_email`
	`end`

Authentication helper functions

UserAuth is a great place to add authentication helpers, which is what we do here for checking for TOTP verification. We add both a plug function require_verified_totp/2 and an on_mount/4 clause for :require_verified_totp .

It's important to keep these functions simple, to help prevent holes from forming in your auth logic.

lib/my_app_web/user_auth.ex Reveal

	`-162,6 +162,20 @@ defmodule MyAppWeb.UserAuth do`
	`\|> put_resp_cookie(@remember_me_cookie, token, @remember_me_options)`
	`end`

+	`@doc """`
+	`Used for routes that require that TOTP has been verified.`
+	`"""`
+	`def require_verified_totp(conn, _opts) do`
+	`if Accounts.totp_verified?(conn.assigns.current_scope.user) do`
+	`conn`
+	`else`
+	`conn`
+	`\|> maybe_store_return_to()`
+	`\|> redirect(to: ~p"/users/verify-totp")`
+	`\|> halt()`
+	`end`
+	`end`
+
	`defp put_token_in_session(conn, token) do`
	`conn`
	`\|> put_session(:user_token, token)`
	`-193,6 +207,9 @@ defmodule MyAppWeb.UserAuth do`
	`on user_token.`
	`Redirects to login page if there's no logged user.`

+	* `:require_verified_totp` - Redirects to the verify TOTP page if the
+	`user assigned to the current session requires TOTP.`
+
	`## Examples`

	Use the `on_mount` lifecycle macro in LiveViews to mount or authenticate
	`-245,6 +262,14 @@ defmodule MyAppWeb.UserAuth do`
	`end`
	`end`

+	`def on_mount(:require_verified_totp, _params, _session, socket) do`
+	`if Accounts.totp_verified?(socket.assigns.current_scope.user) do`
+	`{:cont, socket}`
+	`else`
+	`{:halt, Phoenix.LiveView.redirect(socket, to: ~p"/users/verify-totp")}`
+	`end`
+	`end`
+
	`defp mount_current_scope(socket, session) do`
	`Phoenix.Component.assign_new(socket, :current_scope, fn ->`
	`{user, _} =`

Database migration

By this point, you're familiar with these two new fields we need to add to our database. It's nice when a powerful feature such as this one requires no new tables, and only a couple new fields.

priv/repo/migrations/0001_alter_auth_tables_add_totp.exs Reveal

	`-0,0 +1,13 @@`
+	`defmodule MyApp.Repo.Migrations.AlterAuthTablesAddTotp do`
+	`use Ecto.Migration`
+
+	`def change do`
+	`alter table(:users) do`
+	`add :totp_secret, :binary, null: true`
+	`end`
+
+	`alter table(:users_tokens) do`
+	`add :totp_verified_at, :utc_datetime, null: true`
+	`end`
+	`end`
+	`end`

Install with Claude Code

Write instructions to implement this feature to your project directory in a LLM-friendly format, then have Claude take care of the rest! Requires Claude Code to be installed.

curl "https://elixir-saas.com/llms/p/two-factor-totp.md?v=1.8.3&f=impl" > two_factor_totp.md;

claude "Implement the feature that is documented in: two_factor_totp.md." --allowedTools "Write Edit Bash(mix:*) Bash(mkdir:*)";