github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 14:21:55 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Two Factor authentication should support enabling only for the OTP method #2252

New Issue
Closed
opened 2026-03-13 09:38:42 -05:00 by GiteaMirror · 5 comments
GiteaMirror commented 2026-03-13 09:38:42 -05:00
Owner
Copy Link

Originally created by @jackh-sh on GitHub (Nov 3, 2025).

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

No response

Describe the solution you'd like

I've wanted to enable OTP two-factor authentication in my app but I can only enable TOTP with:

authClient.twoFactor.enable({password: <PASSWORD_HERE>})

I'd like an option to either enable OTP or TOTP two-factor methods.

Describe alternatives you've considered

I've investigated toggling the two-factor flag in the database manually, but I'd love the ability to do it via the API as then you can password protect the two-factor flag.

Additional context

I'm not sure if this is intentional due to the way TOTP is handled but from my experience, just toggling the flag to true seems to work just fine and has no unintended side-effects

Originally created by @jackh-sh on GitHub (Nov 3, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. _No response_ ### Describe the solution you'd like I've wanted to enable OTP two-factor authentication in my app but I can only enable TOTP with: ```ts authClient.twoFactor.enable({password: <PASSWORD_HERE>}) ``` I'd like an option to either enable OTP or TOTP two-factor methods. ### Describe alternatives you've considered I've investigated toggling the two-factor flag in the database manually, but I'd love the ability to do it via the API as then you can password protect the two-factor flag. ### Additional context I'm not sure if this is intentional due to the way TOTP is handled but from my experience, just toggling the flag to true seems to work just fine and has no unintended side-effects
GiteaMirror added the enhancement label 2026-03-13 09:38:42 -05:00
GiteaMirror commented 2026-03-13 09:38:43 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 3, 2025):

It sounds like you’d like a dedicated API endpoint—or at least a plugin configuration option—that lets you enable only the OTP two‑factor method rather than the current TOTP-only enable flow (which requires a user password). One proposed solution in our discussions has been to allow separate configuration for each method. For example, you’d be able to set the OTP options to explicitly enable OTP while disabling TOTP with a configuration similar to:

  betterAuth({
   plugins: [
    twoFactor({
     otpOptions: { enable: true },
     totpOptions: { enable: false }
    })
   ]
  });

This approach would let you use a password-protected endpoint to toggle OTP only—without needing to verify a password for TOTP configuration—and would remove the need to manually override database flags. Right now, as you discovered, toggling the flag manually works but isn’t ideal.

As a next step, check if your current Better Auth version supports configuration of OTP and TOTP separately. If not, you might want to follow or contribute to the feature request that proposes this separation. This enhancement would allow you to protect the OTP flag via the API while leaving TOTP disabled, exactly as you need [1], [2].

If you continue to encounter limitations, consider temporarily using a custom solution with hooks while the upstream changes are merged. However, the planned configuration-based solution should address your needs in a cleaner way.

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 3, 2025): It sounds like you’d like a dedicated API endpoint—or at least a plugin configuration option—that lets you enable only the OTP two‑factor method rather than the current TOTP-only enable flow (which requires a user password). One proposed solution in our discussions has been to allow separate configuration for each method. For example, you’d be able to set the OTP options to explicitly enable OTP while disabling TOTP with a configuration similar to:   betterAuth({    plugins: [     twoFactor({      otpOptions: { enable: true },      totpOptions: { enable: false }     })    ]   }); This approach would let you use a password-protected endpoint to toggle OTP only—without needing to verify a password for TOTP configuration—and would remove the need to manually override database flags. Right now, as you discovered, toggling the flag manually works but isn’t ideal. As a next step, check if your current Better Auth version supports configuration of OTP and TOTP separately. If not, you might want to follow or contribute to the feature request that proposes this separation. This enhancement would allow you to protect the OTP flag via the API while leaving TOTP disabled, exactly as you need [[1]](https://github.com/better-auth/better-auth/issues/1279), [[2]](https://github.com/better-auth/better-auth/issues/1676). If you continue to encounter limitations, consider temporarily using a custom solution with hooks while the upstream changes are merged. However, the planned configuration-based solution should address your needs in a cleaner way. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:38:44 -05:00
Author
Owner
Copy Link

@jackh-sh commented on GitHub (Nov 3, 2025):

I'm just halfway through implementing a version but I think I've just realised that you need to set

{
    skipVerificationOnEnable: true
}

On the auth object and it works. I still think there should be a nicer implementation of this as that seems quite unclear

@jackh-sh commented on GitHub (Nov 3, 2025): I'm just halfway through implementing a version but I think I've just realised that you need to set ```ts { skipVerificationOnEnable: true } ``` On the auth object and it works. I still think there should be a nicer implementation of this as that seems quite unclear
GiteaMirror commented 2026-03-13 09:38:44 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 3, 2025):

Currently, the API defaults to enabling TOTP so that if you need OTP for two‐factor authentication, you have to bypass the usual TOTP flow by setting the option skipVerificationOnEnable to true. This workaround has been used because the OTP flow was originally designed for activation only when skipVerificationOnEnable is set, though it’s not very intuitive [1].

Next steps:

  1. Continue using skipVerificationOnEnable: true in your auth configuration until an option to select solely OTP is provided.
  2. If you’d like a cleaner solution, consider filing an enhancement proposal to add a configuration option (e.g., otpEnabled: true) that would let you choose between OTP and TOTP within authClient.twoFactor.enable without requiring a password, while still ensuring proper security measures [2].

This way you can manage activation directly through the API rather than manually toggling the twoFactor flag.

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 3, 2025): Currently, the API defaults to enabling TOTP so that if you need OTP for two‐factor authentication, you have to bypass the usual TOTP flow by setting the option skipVerificationOnEnable to true. This workaround has been used because the OTP flow was originally designed for activation only when skipVerificationOnEnable is set, though it’s not very intuitive [[1]](https://github.com/better-auth/better-auth/issues/1279). Next steps: 1. Continue using skipVerificationOnEnable: true in your auth configuration until an option to select solely OTP is provided. 2. If you’d like a cleaner solution, consider filing an enhancement proposal to add a configuration option (e.g., otpEnabled: true) that would let you choose between OTP and TOTP within authClient.twoFactor.enable without requiring a password, while still ensuring proper security measures [[2]](https://www.better-auth.com/docs/plugins/2fa). This way you can manage activation directly through the API rather than manually toggling the twoFactor flag. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:38:45 -05:00
Author
Owner
Copy Link

@jackh-sh commented on GitHub (Nov 3, 2025):

PR: https://github.com/better-auth/better-auth/pull/5739

@jackh-sh commented on GitHub (Nov 3, 2025): PR: [https://github.com/better-auth/better-auth/pull/5739]( https://github.com/better-auth/better-auth/pull/5739)
GiteaMirror commented 2026-03-13 09:38:45 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 2, 2026):

Hi, @jackh-sh. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You requested an enhancement to allow enabling OTP or TOTP methods individually in the two-factor authentication API.
  • The current workaround involves using skipVerificationOnEnable: true to enable OTP, which is unintuitive.
  • You have submitted a related PR (#5739) to improve this functionality.
  • The maintainers have been encouraged to consider a cleaner API option for toggling OTP without requiring password verification.
  • The issue remains unresolved and under consideration.

Next Steps:

  • Please confirm if this issue is still relevant with the latest version of better-auth by commenting here.
  • If no response is received, I will automatically close this issue in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 2, 2026): Hi, @jackh-sh. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You requested an enhancement to allow enabling OTP or TOTP methods individually in the two-factor authentication API. - The current workaround involves using `skipVerificationOnEnable: true` to enable OTP, which is unintuitive. - You have submitted a related PR (#5739) to improve this functionality. - The maintainers have been encouraged to consider a cleaner API option for toggling OTP without requiring password verification. - The issue remains unresolved and under consideration. **Next Steps:** - Please confirm if this issue is still relevant with the latest version of better-auth by commenting here. - If no response is received, I will automatically close this issue in 7 days. Thank you for your understanding and contribution!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#2252
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?