[GH-ISSUE #3561] twoFactor.sendOtp() not working after 1.3.0 #26970

New Issue

GiteaMirror · 2026-04-17T17:43:57-05:00

GiteaMirror commented

2026-04-17 17:43:57 -05:00

Originally created by @dennisjnnh on GitHub (Jul 23, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/3561

Is this suited for github?

Yes, this is suited for github

To Reproduce

#3302 I think this PR introduced an issue if a user wanted to enable 2FA and call twoFactor.sendOtp() afterwards, which would receive the following error: OTP_NOT_ENABLED.

Client Code:
` const { data, error } = await twoFactor.enable({
password: values.password,
})

  if (error) {
    if (error.code === 'INVALID_PASSWORD') {
      toast.error('Wrong Password')
      return
    }
    toast.error(
      `There was an error while enabling 2FA. Please try again later`,
    )
    return
  }

  if (values.twoFactorType === 'otp') {
    const { data, error } = await twoFactor.sendOtp()

    if (error) {
      toast.error(
        'There was an error sending the OTP password. Please try again later',
      )
      return
    }

    if (data.status) {
      setShowOTP(true)
    }
  }`

server setup:
` twoFactor({
issuer: process.env.BETTER_AUTH_NAME!,
otpOptions: {
async sendOTP({ otp, user }) {
const log = createLog('betterAuth')

    log.debug(`Sending 2FA token email to user ${user.id}`)
    await sendTwoFactorTokenEmail(user, otp)
  },
},

}),`

Current vs. Expected behavior

On version 1.2.12 this works and the user can verify 2FA using OTP, but in 1.3.0 the api call twoFactor.sendOtp() fails.

What version of Better Auth are you using?

1.3.0

Provide environment information

macOS, Safari

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

Additional context

Probably related to #3302

Originally created by @dennisjnnh on GitHub (Jul 23, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/3561 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce #3302 I think this PR introduced an issue if a user wanted to enable 2FA and call twoFactor.sendOtp() afterwards, which would receive the following error: OTP_NOT_ENABLED. Client Code: ` const { data, error } = await twoFactor.enable({ password: values.password, }) if (error) { if (error.code === 'INVALID_PASSWORD') { toast.error('Wrong Password') return } toast.error( `There was an error while enabling 2FA. Please try again later`, ) return } if (values.twoFactorType === 'otp') { const { data, error } = await twoFactor.sendOtp() if (error) { toast.error( 'There was an error sending the OTP password. Please try again later', ) return } if (data.status) { setShowOTP(true) } }` server setup: ` twoFactor({ issuer: process.env.BETTER_AUTH_NAME!, otpOptions: { async sendOTP({ otp, user }) { const log = createLog('betterAuth') log.debug(`Sending 2FA token email to user ${user.id}`) await sendTwoFactorTokenEmail(user, otp) }, }, }),` ### Current vs. Expected behavior On version 1.2.12 this works and the user can verify 2FA using OTP, but in 1.3.0 the api call twoFactor.sendOtp() fails. ### What version of Better Auth are you using? 1.3.0 ### Provide environment information ```bash macOS, Safari ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript ``` ### Additional context Probably related to #3302

GiteaMirror added the locked bug labels 2026-04-17 17:43:57 -05:00

GiteaMirror closed this issue

2026-04-17 17:43:58 -05:00

GiteaMirror commented

2026-04-17 17:43:59 -05:00

@dosubot[bot] commented on GitHub (Jul 23, 2025):

Hi @dennisjnnh! I'm Dosu and I’m helping the better-auth team.

In Better Auth v1.3.0, the flow for enabling 2FA changed: after calling twoFactor.enable(), the user is not immediately considered to have 2FA enabled—verification (via TOTP or OTP) is now required before sendOtp will work. If you call sendOtp right after enable, you'll get OTP_NOT_ENABLED because user.twoFactorEnabled is still false until verification completes. This is a deliberate change for security and is reflected in the code and tests (see implementation, see tests).

If you want to restore the old behavior for backwards compatibility or testing, you can set the skipVerificationOnEnable option in your twoFactor config. Otherwise, update your client flow to include a verification step after enable, before calling sendOtp. The 1.3.0 release notes mention related changes, but there’s no direct evidence that PR #3302 specifically caused this—it’s just the new contract starting with 1.3.0.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Jul 23, 2025):  Hi @dennisjnnh! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  In Better Auth v1.3.0, the flow for enabling 2FA changed: after calling twoFactor.enable(), the user is not immediately considered to have 2FA enabled—verification (via TOTP or OTP) is now required before sendOtp will work. If you call sendOtp right after enable, you'll get OTP_NOT_ENABLED because user.twoFactorEnabled is still false until verification completes. This is a deliberate change for security and is reflected in the code and tests ([see implementation](https://github.com/better-auth/better-auth/blob/602ab7c4c6913d601994de0ae679be6645a58d69/packages/better-auth/src/plugins/two-factor/index.ts), [see tests](https://github.com/better-auth/better-auth/blob/602ab7c4c6913d601994de0ae679be6645a58d69/packages/better-auth/src/plugins/two-factor/two-factor.test.ts)). If you want to restore the old behavior for backwards compatibility or testing, you can set the skipVerificationOnEnable option in your twoFactor config. Otherwise, update your client flow to include a verification step after enable, before calling sendOtp. The [1.3.0 release notes](https://github.com/better-auth/better-auth/blob/602ab7c4c6913d601994de0ae679be6645a58d69/docs/content/blogs/1-3.mdx) mention related changes, but there’s no direct evidence that PR #3302 specifically caused this—it’s just the new contract starting with 1.3.0.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/72368a89-4eed-403c-a6c7-f2a7ca2a6d70?feedback_type=other)</sup>  [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3561)

GiteaMirror commented

2026-04-17 17:43:59 -05:00

@dennisjnnh commented on GitHub (Jul 23, 2025):

@dosu How would you want to complete the verification with OTP if sendOtp will not work?

@dennisjnnh commented on GitHub (Jul 23, 2025): @dosu How would you want to complete the verification with OTP if sendOtp will not work?

GiteaMirror commented

2026-04-17 17:44:00 -05:00

@dosubot[bot] commented on GitHub (Jul 23, 2025):

In v1.3.0, the OTP for verification is not sent via sendOtp after enable. Instead, the OTP should be delivered as part of the verification step itself—when you call the verifyOtp endpoint, it both sends the OTP (if needed) and verifies the code. The user is only considered to have 2FA enabled after successful verification. So, after enable, your client should prompt for verification and trigger verifyOtp, which will handle OTP delivery and verification in one step. The sendOtp method is only available after 2FA is fully enabled, not during enrollment. If you want the old behavior, you can set skipVerificationOnEnable to true in your config, but that's not the default or recommended flow now.
See implementation details

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Jul 23, 2025):  In v1.3.0, the OTP for verification is not sent via sendOtp after enable. Instead, the OTP should be delivered as part of the verification step itself—when you call the verifyOtp endpoint, it both sends the OTP (if needed) and verifies the code. The user is only considered to have 2FA enabled after successful verification. So, after enable, your client should prompt for verification and trigger verifyOtp, which will handle OTP delivery and verification in one step. The sendOtp method is only available after 2FA is fully enabled, not during enrollment. If you want the old behavior, you can set skipVerificationOnEnable to true in your config, but that's not the default or recommended flow now. [See implementation details](https://github.com/better-auth/better-auth/blob/602ab7c4c6913d601994de0ae679be6645a58d69/packages/better-auth/src/plugins/two-factor/otp/index.ts)  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3c45e323-52b2-4690-8868-581987abd3f7?feedback_type=other)</sup>  [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3561)

GiteaMirror commented

2026-04-17 17:44:00 -05:00

@samstoppani-triffin commented on GitHub (Aug 5, 2025):

@dosu how does verifyOtp both send and verify the code? verifyOtp requires a code.

Please show us an example of the expected flow for enabling 2FA.

@samstoppani-triffin commented on GitHub (Aug 5, 2025): @dosu how does verifyOtp both send and verify the code? verifyOtp requires a code. Please show us an example of the expected flow for enabling 2FA.

GiteaMirror commented

2026-04-17 17:44:00 -05:00

@dennisjnnh commented on GitHub (Aug 18, 2025):

@bairdj Do you mind taking a look at this? It may be related to your PR #3302.

@dennisjnnh commented on GitHub (Aug 18, 2025): @bairdj Do you mind taking a look at this? It may be related to your PR #3302.

GiteaMirror commented

2026-04-17 17:44:01 -05:00

@bairdj commented on GitHub (Aug 18, 2025):

This occurs if twoFactorEnabled if false in the user model 9a6a8d741b/packages/better-auth/src/plugins/two-factor/otp/index.ts (L174)

Presumably this is occurring when skipVerificationOnEnable is false, and it's failing on attempting to send it later. Fix is probably to remove the enabled check in sendOtp and just send it anyway, then it will update the user's twoFactorEnabled when they verify the code later

@bairdj commented on GitHub (Aug 18, 2025): This occurs if `twoFactorEnabled` if `false` in the user model https://github.com/better-auth/better-auth/blob/9a6a8d741bf77c0d2e44c02281314b50a75cd6fc/packages/better-auth/src/plugins/two-factor/otp/index.ts#L174 Presumably this is occurring when `skipVerificationOnEnable` is false, and it's failing on attempting to send it later. Fix is probably to remove the enabled check in `sendOtp` and just send it anyway, then it will update the user's `twoFactorEnabled` when they verify the code later

GiteaMirror commented

2026-04-17 17:44:01 -05:00

@frectonz commented on GitHub (Sep 4, 2025):

@dennisjnnh are you still facing this problem and if you are do you have a repo i can use to reproduce the issue you are facing.

@frectonz commented on GitHub (Sep 4, 2025): @dennisjnnh are you still facing this problem and if you are do you have a repo i can use to reproduce the issue you are facing.

GiteaMirror commented

2026-04-17 17:44:01 -05:00

@frectonz commented on GitHub (Sep 4, 2025):

From what i am seeing, you just have to set skipVerificationOnEnable to true in your two-factor plugin options.

@frectonz commented on GitHub (Sep 4, 2025): From what i am seeing, you just have to set `skipVerificationOnEnable` to `true` in your `two-factor` plugin options.

GiteaMirror commented

2026-04-17 17:44:02 -05:00

@dennisjnnh commented on GitHub (Sep 7, 2025):

From what i am seeing, you just have to set skipVerificationOnEnable to true in your two-factor plugin options.

While this does resolve the issue, i don't think it is a perfect solution for the problem.

If a user enables 2FA with TOTP with this setting enabled, and fails to set up the device correctly, he will not be able to recover from that point on, because 2FA was enabled right away without verifying if the setup worked correctly.

@dennisjnnh commented on GitHub (Sep 7, 2025): > From what i am seeing, you just have to set `skipVerificationOnEnable` to `true` in your `two-factor` plugin options. While this does resolve the issue, i don't think it is a perfect solution for the problem. If a user enables 2FA with TOTP with this setting enabled, and fails to set up the device correctly, he will not be able to recover from that point on, because 2FA was enabled right away without verifying if the setup worked correctly.

GiteaMirror commented

2026-04-17 17:44:02 -05:00

@gleandroj commented on GitHub (Oct 10, 2025):

+1

@gleandroj commented on GitHub (Oct 10, 2025): +1

GiteaMirror commented

2026-04-17 17:44:03 -05:00

@mateus4k commented on GitHub (Oct 10, 2025):

+1

@mateus4k commented on GitHub (Oct 10, 2025): +1

GiteaMirror commented

2026-04-17 17:44:03 -05:00

@himself65 commented on GitHub (Dec 2, 2025):

This is fixed in the latest version

@himself65 commented on GitHub (Dec 2, 2025): This is fixed in the latest version

Sign in to join this conversation.

Branches Tags

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#26970