From 6beac425ddc77ff054895e1cf96dbb931db0cf18 Mon Sep 17 00:00:00 2001
From: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Date: Wed, 2 Jul 2025 01:54:26 +1000
Subject: [PATCH] fix(two-factor): incorrect default OTP period & fix incorrect
 docs (#3231)

* docs(2fa): fix incorrect period

* fix: default period is 3 minutes

* Update packages/better-auth/src/plugins/two-factor/index.ts

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

* chore: lint

---------

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
---
 docs/content/docs/plugins/2fa.mdx                    | 6 +++---
 packages/better-auth/src/plugins/two-factor/index.ts | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/content/docs/plugins/2fa.mdx b/docs/content/docs/plugins/2fa.mdx
index b1903c399d..90d3394c9c 100644
--- a/docs/content/docs/plugins/2fa.mdx
+++ b/docs/content/docs/plugins/2fa.mdx
@@ -393,7 +393,7 @@ these are options for TOTP.
         default: 6,
     },
     period: {
-        description: "The period for otp in seconds.",
+        description: "The period for totp in seconds.",
         type: "number",
         default: 30,
     },
@@ -411,9 +411,9 @@ these are options for OTP.
         type: "function",
     },
     period: {
-        description: "The period for otp in seconds.", 
+        description: "The period for otp in minutes.", 
         type: "number",
-        default: 30,
+        default: 3,
     },
   }}
   />
diff --git a/packages/better-auth/src/plugins/two-factor/index.ts b/packages/better-auth/src/plugins/two-factor/index.ts
index ade69e17eb..c9fc93cee9 100644
--- a/packages/better-auth/src/plugins/two-factor/index.ts
+++ b/packages/better-auth/src/plugins/two-factor/index.ts
@@ -296,7 +296,7 @@ export const twoFactor = (options?: TwoFactorOptions) => {
 						 */
 						deleteSessionCookie(ctx, true);
 						await ctx.context.internalAdapter.deleteSession(data.session.token);
-						const maxAge = options?.otpOptions?.period || 60 * 5; // 5 minutes
+						const maxAge = (options?.otpOptions?.period ?? 3) * 60; // 3 minutes
 						const twoFactorCookie = ctx.context.createAuthCookie(
 							TWO_FACTOR_COOKIE_NAME,
 							{