github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 14:21:55 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Support PIN-based Step-up Authentication for Sensitive Actions #2310

New Issue
Open
opened 2026-03-13 09:43:10 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-03-13 09:43:10 -05:00
Owner
Copy Link

Originally created by @tito-arch on GitHub (Nov 15, 2025).

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

Currently, better-auth does not offer built-in support for PIN authentication. However, there are practical scenarios where a quick PIN entry can be crucial:

  • For stepping up auth during sensitive in-app actions, such as money transfers, profile changes, or re-authentication prompts within an active session.
  • As an alternative to passkey, face, or password when a lightweight and rapid challenge is preferred.

Lack of PIN support means developers cannot easily implement step-up flows or offer users the PIN experience they expect from other financial or sensitive applications.

Describe the solution you'd like

Add a PIN authentication plugin for better-auth that can be invoked:

  • As a step-up challenge for sensitive operations (e.g., transactions, in-app purchases, settings changes).
  • Optionally as a standalone login mode for specific flows (not mandatory).

The plugin should allow:

  • Secure PIN entry, validation, and storage (hashed, like password).
  • Easy API or client method to prompt PIN when needed (not only at login).
  • Flexibility to set PIN rule (length, complexity) per app.
  • Option to combine PIN with other auth factors (multifactor or passkey/PIN hybrid).

This makes PIN a drop-in solution for step-up auth and transactional security, just like passkey or face recognition plugins.

Describe alternatives you've considered

Alternatives considered:

  • Using a password step-up (slower and less user-friendly for in-app flows).
  • Custom plugin, but this would duplicate effort across many users/projects. A built-in PIN plugin encourages consistency and shared best practices.
  • Relying entirely on passkeys/biometrics, but PIN remains a strong fallback or alternative in financial apps and situations where biometric/passkey/face is unavailable.

Additional context

PIN support is standard in many banking and payment apps. Security and UX can both benefit from a step-up PIN plugin.
Reference: most other auth methods (passkey, face, username) are already available as plugins.
PIN flows should support both quick step-up challenges and, optionally, standalone PIN logins. This would drive adoption and fill a current gap in the ecosystem.

Originally created by @tito-arch on GitHub (Nov 15, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. Currently, better-auth does not offer built-in support for PIN authentication. However, there are practical scenarios where a quick PIN entry can be crucial: - For stepping up auth during sensitive in-app actions, such as money transfers, profile changes, or re-authentication prompts within an active session. - As an alternative to passkey, face, or password when a lightweight and rapid challenge is preferred. Lack of PIN support means developers cannot easily implement step-up flows or offer users the PIN experience they expect from other financial or sensitive applications. ### Describe the solution you'd like Add a PIN authentication plugin for better-auth that can be invoked: - As a step-up challenge for sensitive operations (e.g., transactions, in-app purchases, settings changes). - Optionally as a standalone login mode for specific flows (not mandatory). The plugin should allow: - Secure PIN entry, validation, and storage (hashed, like password). - Easy API or client method to prompt PIN when needed (not only at login). - Flexibility to set PIN rule (length, complexity) per app. - Option to combine PIN with other auth factors (multifactor or passkey/PIN hybrid). This makes PIN a drop-in solution for step-up auth and transactional security, just like passkey or face recognition plugins. ### Describe alternatives you've considered Alternatives considered: - Using a password step-up (slower and less user-friendly for in-app flows). - Custom plugin, but this would duplicate effort across many users/projects. A built-in PIN plugin encourages consistency and shared best practices. - Relying entirely on passkeys/biometrics, but PIN remains a strong fallback or alternative in financial apps and situations where biometric/passkey/face is unavailable. ### Additional context PIN support is standard in many banking and payment apps. Security and UX can both benefit from a step-up PIN plugin. Reference: most other auth methods (passkey, face, username) are already available as plugins. PIN flows should support both quick step-up challenges and, optionally, standalone PIN logins. This would drive adoption and fill a current gap in the ecosystem.
GiteaMirror added the enhancement label 2026-03-13 09:43:10 -05:00
GiteaMirror commented 2026-03-13 09:43:11 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 15, 2025):

(tag @better-auth-agent if you would like an answer from the Agent)

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 15, 2025): (tag @better-auth-agent if you would like an answer from the Agent) <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:43:12 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 14, 2026):

Hi, @tito-arch. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You requested a built-in PIN authentication plugin for better-auth to improve step-up challenges and enable optional standalone login.
  • The goal is to enhance user experience in sensitive app flows and standardize PIN usage with secure handling and flexible rules.
  • I provided documentation and community links but no direct resolution or implementation yet.
  • This feature could reduce duplicated custom PIN implementations and improve security in financial or sensitive applications.

Next Steps

  • Please let me know if this feature request is still relevant to the latest version of better-auth by commenting on this issue.
  • If I don’t hear back within 7 days, the issue will be automatically closed to keep the backlog manageable.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 14, 2026): Hi, @tito-arch. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You requested a built-in PIN authentication plugin for better-auth to improve step-up challenges and enable optional standalone login. - The goal is to enhance user experience in sensitive app flows and standardize PIN usage with secure handling and flexible rules. - I provided documentation and community links but no direct resolution or implementation yet. - This feature could reduce duplicated custom PIN implementations and improve security in financial or sensitive applications. **Next Steps** - Please let me know if this feature request is still relevant to the latest version of better-auth by commenting on this issue. - If I don’t hear back within 7 days, the issue will be automatically closed to keep the backlog manageable. Thank you for your understanding and contribution!
GiteaMirror commented 2026-03-13 09:43:12 -05:00
Author
Owner
Copy Link

@ShivamGupta-SM commented on GitHub (Feb 19, 2026):

+1 on step-up authentication as a first-class concept.

We have the same need but with passkeys/biometrics instead of PIN. Our use cases:

  • Withdrawal confirmation (fintech)
  • Phone number changes
  • Role promotions (owner/admin)
  • Organization creation with identity verification

The core problem is the same regardless of method (PIN, passkey, TOTP, password): there's no way to re-verify a user's identity without creating a new session.

Currently verifyPasskeyAuthentication always creates a session, so we had to bypass Better Auth and use @simplewebauthn/server directly for re-auth. Works, but it's a lot of code that duplicates plugin internals.

A generic step-up API that works across auth methods would be ideal:

await auth.api.verifyStepUp({
  body: { method: "passkey", response: assertionResponse }
});
// or
await auth.api.verifyStepUp({
  body: { method: "pin", code: "1234" }
});
// Returns: { verified: true, userId: "..." } — no session created

Related: #8071 (our feature request specifically for passkey re-auth without session creation)

@ShivamGupta-SM commented on GitHub (Feb 19, 2026): +1 on step-up authentication as a first-class concept. We have the same need but with passkeys/biometrics instead of PIN. Our use cases: - Withdrawal confirmation (fintech) - Phone number changes - Role promotions (owner/admin) - Organization creation with identity verification The core problem is the same regardless of method (PIN, passkey, TOTP, password): **there's no way to re-verify a user's identity without creating a new session.** Currently `verifyPasskeyAuthentication` always creates a session, so we had to bypass Better Auth and use `@simplewebauthn/server` directly for re-auth. Works, but it's a lot of code that duplicates plugin internals. A generic step-up API that works across auth methods would be ideal: ```typescript await auth.api.verifyStepUp({ body: { method: "passkey", response: assertionResponse } }); // or await auth.api.verifyStepUp({ body: { method: "pin", code: "1234" } }); // Returns: { verified: true, userId: "..." } — no session created ``` Related: #8071 (our feature request specifically for passkey re-auth without session creation)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#2310
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?