Level: Easy

Napkin-math based on lines added — not a strict rule. Tests, guides, and lockfiles are omitted for better accuracy (closer to SLOC than raw diff).

Jump to file

∟ lib/my_app/accounts.ex
∟ lib/my_app/accounts/user.ex
∟ lib/my_app/accounts/user_backup_code.ex
∟ lib/my_app_web/live/user_live/settings.ex
∟ lib/my_app_web/live/user_live/totp_backup_code.ex
∟ lib/my_app_web/live/user_live/totp_verify.ex
∟ lib/my_app_web/router.ex
∟ priv/repo/migrations/0002_add_user_backup_codes.exs

Add to existing TOTP functions

When we first built TOTP into our app we added several new functions in our Accounts context. Here, we'll add to those functions so that backup codes are generated and deleted when TOTP is enabled and disabled, respectively.

The enable_user_totp/4 function now returns {:ok, {user, backup_codes}} on success, where backup_codes is a list of plain-text codes to display to the user once.

Then, we add functions for generating, counting, and consuming backup codes. To consume a backup code, we query for the code while scoping our query to the signed-in user. Requiring a user is a security control, as backup codes are not typically long enough to be secure on their own.

A backup code is valid if our scoped query deletes exactly one record. Once verified, we use the same underlying function that is used for verifying a normal TOTP code to sign the user in. Since we deleted the backup code in this process, it is not reusable.

lib/my_app/accounts.ex Reveal

	`-7,6 +7,7 @@ defmodule MyApp.Accounts do`
	`alias MyApp.Repo`

	`alias MyApp.Accounts.{User, UserToken, UserNotifier}`
+	`alias MyApp.Accounts.UserBackupCode`

	`## Database getters`

	`-346,14 +347,22 @@ defmodule MyApp.Accounts do`

	`@doc """`
	`Enables TOTP for a user given a session token, a new TOTP secret, and a valid verification code.`
+
+	Returns `{:ok, {user, backup_codes}}` on success, where `backup_codes` is a list of
+	`plain-text codes to display to the user once.`
	`"""`
	`def enable_user_totp(user, token, totp_secret, verification_code) do`
	`Repo.transaction(fn ->`
	`case verify_session_totp(token, totp_secret, verification_code) do`
	`:ok ->`
-	`user`
-	`\|> Ecto.Changeset.change(totp_secret: totp_secret)`
-	`\|> Repo.update!()`
+	`backup_codes = generate_backup_codes(user)`
+
+	`user =`
+	`user`
+	`\|> Ecto.Changeset.change(totp_secret: totp_secret)`
+	`\|> Repo.update!()`
+
+	`{user, backup_codes}`

	`{:error, reason} ->`
	`Repo.rollback(reason)`
	`-366,6 +375,8 @@ defmodule MyApp.Accounts do`
	`"""`
	`def disable_user_totp(user) do`
	`Repo.transaction(fn ->`
+	`Repo.delete_all(from(UserBackupCode, where: [user_id: ^user.id]))`
+
	`Repo.update_all(`
	`from(UserToken, where: [user_id: ^user.id, context: "session"]),`
	`set: [totp_verified_at: nil]`
	`-394,4 +405,53 @@ defmodule MyApp.Accounts do`
	`{:error, :invalid_code}`
	`end`
	`end`
+
+	`defp verify_session_for_totp(token) do`
+	`Repo.update_all(`
+	`UserToken.by_token_and_context_query(token, "session"),`
+	`set: [totp_verified_at: DateTime.truncate(DateTime.utc_now(), :second)]`
+	`)`
+
+	`:ok`
+	`end`
+
+	`## TOTP backup codes`
+
+	`@doc """`
+	`Returns the count of remaining backup codes for a user.`
+	`"""`
+	`def count_backup_codes(user) do`
+	`user`
+	`\|> UserBackupCode.for_user_query()`
+	`\|> Repo.aggregate(:count)`
+	`end`
+
+	`@doc """`
+	`Generate a set of backup codes for a user.`
+
+	`Returns a list of plain-text codes that should be displayed to the user once.`
+	`The codes are stored hashed in the database and cannot be retrieved later.`
+	`"""`
+	`def generate_backup_codes(user, count \\ 8) do`
+	`Enum.map(1..count, fn _ ->`
+	`{plain_code, backup_code} = UserBackupCode.build_backup_code(user)`
+	`Repo.insert!(backup_code)`
+	`plain_code`
+	`end)`
+	`end`
+
+	`@doc """`
+	`Consume a backup code for a user, verifies their session if the code is valid.`
+	`"""`
+	`def consume_backup_code(user, token, backup_code) do`
+	`query = UserBackupCode.consume_backup_code_query(user, backup_code)`
+
+	`case Repo.delete_all(query) do`
+	`{1, _results} ->`
+	`verify_session_for_totp(token)`
+
+	`{0, _results} ->`
+	`{:error, :invalid_code}`
+	`end`
+	`end`
	`end`

Association with the user struct

While not strictly necessary (we won't use this field to preload data anywhere), we document the has_many relationship between our User and UserBackupCode structs here.

lib/my_app/accounts/user.ex Reveal

	`-12,6 +12,7 @@ defmodule MyApp.Accounts.User do`
	`field :authenticated_at, :utc_datetime, virtual: true`
	`field :totp_secret, :binary, redact: true`
	`field :totp_verified_at, :utc_datetime, virtual: true`
+	`has_many :backup_codes, MyApp.Accounts.UserBackupCode`

	`timestamps(type: :utc_datetime)`
	`end`

The UserBackupCode schema

There is not a lot to this module in particular. One thing to note is that it has a composite primary key, using the code and user_id fields. This is the "natural" key of the record, because it signifies identity. It would not make sense for multiple records in this table to have this combination of identical values. So, we spare ourselves of the need to generate a meaningless primary key.

To build a backup code string, we sample some random bytes and hex encode them. The number of bytes is tunable with the @rand_size module attribute (a size of 6 generates 12-character hex codes). These bytes do not have to be particularly long because they are not global, rather they are scoped to a single user.

The codes are stored hashed in the database using SHA256, so they cannot be retrieved later. The query function used to consume backup codes hashes the input and selects based on the compound primary key of code and user.

lib/my_app/accounts/user_backup_code.ex Reveal

	`-0,0 +1,52 @@`
+	`defmodule MyApp.Accounts.UserBackupCode do`
+	`use Ecto.Schema`
+	`import Ecto.Query`
+	`alias MyApp.Accounts.UserBackupCode`
+
+	`# A rand_size of 6 will generate 12-character hex codes.`
+	`# Codes are scoped to signed-in users, this means they safely can`
+	`# be less random than a globally scoped secret.`
+	`@rand_size 6`
+
+	`@primary_key false`
+	`@foreign_key_type :binary_id`
+
+	`schema "user_backup_codes" do`
+	`field :code, :string, primary_key: true`
+	`belongs_to :user, MyApp.Accounts.User, primary_key: true`
+
+	`timestamps(updated_at: false)`
+	`end`
+
+	`@doc """`
+	`Generates a backup code to be stored for a user.`
+
+	Returns a tuple of `{plain_code, struct}` where:
+	- `plain_code` is the code to display to the user (shown once)
+	- `struct` contains the hashed code for database storage
+	`"""`
+	`def build_backup_code(user) do`
+	`plain_code = Base.encode16(:rand.bytes(@rand_size), case: :lower)`
+	`hashed_code = hash_code(plain_code)`
+	`{plain_code, %UserBackupCode{code: hashed_code, user: user}}`
+	`end`
+
+	`@doc """`
+	`Returns a query for codes scoped to a user.`
+	`"""`
+	`def for_user_query(user) do`
+	`from UserBackupCode, where: [user_id: ^user.id]`
+	`end`
+
+	`@doc """`
+	`Returns a query for consuming a particular code for a user.`
+	`"""`
+	`def consume_backup_code_query(user, backup_code) do`
+	`hashed_code = hash_code(backup_code)`
+	`from UserBackupCode, where: [user_id: ^user.id, code: ^hashed_code]`
+	`end`
+
+	`defp hash_code(code) do`
+	`:crypto.hash(:sha256, code) \|> Base.encode64()`
+	`end`
+	`end`

Showing backup codes once

We only want to show backup codes to the user once, immediately after they first enable TOTP. This is because this is when we are most sure that the current user should in fact have access to these secrets.

When TOTP is enabled, the backup codes are returned from the enable_user_totp/4 function and stored in a @totp_backup_codes assign. When this assign is present, we display a warning alert with the codes in a grid. The codes are displayed in a monospace font for easy reading.

lib/my_app_web/live/user_live/settings.ex Reveal

	`-86,6 +86,23 @@ defmodule MyAppWeb.UserLive.Settings do`
	`<.input field={@totp_form[:code]} label="Verification code" required />`
	`<.button phx-disable-with="Verifying...">Verify & Enable</.button>`
	`</.form>`
+
+	`<div :if={@totp_backup_codes}>`
+	`<div class="alert alert-warning">`
+	`<.icon name="hero-lock-closed" class="size-5 shrink-0" />`
+	`<div>`
+	`<p class="font-semibold">Copy your backup codes now!</p>`
+	`<p class="text-xs">`
+	`Sign in with a backup code if you lose access to your authenticator app. They cannot be shown again.`
+	`</p>`
+	`</div>`
+	`</div>`
+	`<div class="bg-base-200 mt-4 grid grid-cols-4 gap-y-4 py-4">`
+	`<div :for={code <- @totp_backup_codes} class="text-center">`
+	`<span class="text-sm font-mono">{code}</span>`
+	`</div>`
+	`</div>`
+	`</div>`
	`</Layouts.app>`
	`"""`
	`end`
	`-118,6 +135,7 @@ defmodule MyAppWeb.UserLive.Settings do`
	`\|> assign(:trigger_submit, false)`
	`\|> assign(:totp_form, to_form(%{}, as: :totp))`
	`\|> assign(:totp_state, if(Accounts.totp_enabled?(user), do: :enabled, else: :disabled))`
+	`\|> assign(:totp_backup_codes, nil)`

	`{:ok, socket}`
	`end`
	`-211,11 +229,12 @@ defmodule MyAppWeb.UserLive.Settings do`
	`totp_secret = socket.assigns.totp_secret`

	`case Accounts.enable_user_totp(user, user_token, totp_secret, code) do`
-	`{:ok, user} ->`
+	`{:ok, {user, backup_codes}} ->`
	`socket =`
	`socket`
	`\|> assign(:current_scope, %{socket.assigns.current_scope \| user: user})`
	`\|> assign(:totp_state, :enabled)`
+	`\|> assign(:totp_backup_codes, backup_codes)`
	`\|> put_flash(:info, "Enabled two-factor authentication.")`

	`{:noreply, socket}`

Consuming a backup code

To consume a backup code, we render a simple LiveView form for accepting the code and call our Accounts.consume_backup_code(user, user_token, code) function. If the function returns :ok , the code was valid and consumed, and we can forward the user to where they belong in the app.

lib/my_app_web/live/user_live/totp_backup_code.ex Reveal

	`-0,0 +1,59 @@`
+	`defmodule MyAppWeb.UserLive.TotpBackupCode do`
+	`use MyAppWeb, :live_view`
+
+	`alias MyApp.Accounts`
+
+	`def render(assigns) do`
+	`~H"""`
+	`<Layouts.app flash={@flash} current_scope={@current_scope}>`
+	`<div class="mx-auto max-w-sm">`
+	`<div class="text-center">`
+	`<.header>`
+	`Use backup code`
+	`<:subtitle>`
+	`Bypass two-factor verification this time.`
+	`</:subtitle>`
+	`</.header>`
+	`</div>`
+
+	`<.form for={@form} id="verify_backup_form" phx-submit="save">`
+	`<.input`
+	`field={@form[:code]}`
+	`label="Backup code"`
+	`autocomplete="off"`
+	`required`
+	`phx-mounted={JS.focus()}`
+	`/>`
+
+	`<.button phx-disable-with="Verifying..." class="btn btn-primary w-full">`
+	`Verify`
+	`</.button>`
+	`</.form>`
+	`</div>`
+	`</Layouts.app>`
+	`"""`
+	`end`
+
+	`def mount(_params, %{"user_token" => user_token} = session, socket) do`
+	`socket =`
+	`socket`
+	`\|> assign(:user_token, user_token)`
+	`\|> assign(:return_to, session["user_return_to"] \|\| ~p"/")`
+	`\|> assign(:form, to_form(%{}, as: "backup"))`
+
+	`{:ok, socket}`
+	`end`
+
+	`def handle_event("save", %{"backup" => %{"code" => code}}, socket) do`
+	`user = socket.assigns.current_scope.user`
+	`user_token = socket.assigns.user_token`
+
+	`case Accounts.consume_backup_code(user, user_token, code) do`
+	`:ok ->`
+	`{:noreply, push_navigate(socket, to: socket.assigns.return_to)}`
+
+	`{:error, :invalid_code} ->`
+	`{:noreply, put_flash(socket, :error, "Code is invalid or has already been used.")}`
+	`end`
+	`end`
+	`end`

Showing the backup code option

In the LiveView that handles TOTP verification, we show a link to use a backup code. This is the most likely place for a user to realize they no longer have access to their authenticator device.

lib/my_app_web/live/user_live/totp_verify.ex Reveal

	`-25,6 +25,13 @@ defmodule MyAppWeb.UserLive.TotpVerify do`
	`phx-mounted={JS.focus()}`
	`/>`

+	`<.link`
+	`navigate={~p"/users/verify-backup"}`
+	`class="text-xs font-semibold leading-6 text-base-content/70 hover:text-base-content/30"`
+	`>`
+	`Use a backup code`
+	`</.link>`
+
	`<.button phx-disable-with="Verifying..." class="btn btn-primary w-full">`
	`Verify`
	`</.button>`

Router changes

In our router, we add the new LiveView for consuming backup codes at /users/verify-backup . This is placed in the :require_authenticated_user live_session alongside the TOTP verification route, as both require a signed-in user but not TOTP verification.

lib/my_app_web/router.ex Reveal

	`-53,6 +53,7 @@ defmodule MyAppWeb.Router do`
	`live_session :require_authenticated_user,`
	`on_mount: [{MyAppWeb.UserAuth, :require_authenticated}] do`
	`live "/users/verify-totp", UserLive.TotpVerify, :verify`
+	`live "/users/verify-backup", UserLive.TotpBackupCode, :backup_code`
	`end`
	`end`

Migration to add backup codes

Our table is straightforward as it only includes the code string and the ID of the user it belongs to. We do not even need to store any kind of status or redeemed_at field, as our design decision dictates that only the presence of a code is enough to determine validity. Remember to include the index as well, otherwise the performance of deleting codes (an operation which uses only user_id) may degrade over time.

priv/repo/migrations/0002_add_user_backup_codes.exs Reveal

	`-0,0 +1,16 @@`
+	`defmodule MyApp.Repo.Migrations.AddUserBackupCodes do`
+	`use Ecto.Migration`
+
+	`def change do`
+	`create table(:user_backup_codes, primary_key: false) do`
+	`add :code, :string, primary_key: true`
+
+	`add :user_id, references(:users, type: :binary_id, on_delete: :delete_all),`
+	`primary_key: true`
+
+	`timestamps(updated_at: false)`
+	`end`
+
+	`create index(:user_backup_codes, [:user_id])`
+	`end`
+	`end`

Install with Claude Code

Write instructions to implement this feature to your project directory in a LLM-friendly format, then have Claude take care of the rest! Requires Claude Code to be installed.

curl "https://elixir-saas.com/llms/p/two-factor-totp-backup-codes.md?v=1.8.3&f=impl" > two_factor_totp_backup_codes.md;

claude "Implement the feature that is documented in: two_factor_totp_backup_codes.md." --allowedTools "Write Edit Bash(mix:*) Bash(mkdir:*)";

Two Factor / TOTP Backup Codes