[GH-ISSUE #4114] SIWE + 2FA doesn't works because password is required #9835

Closed
opened 2026-04-13 05:35:20 -05:00 by GiteaMirror · 5 comments
Owner

Originally created by @ibrunotome on GitHub (Aug 21, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4114

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

  1. Configure SIWE plugin, sign in.
  2. Configure twoFactor plugin.

Current vs. Expected behavior

The docs for twoFactor plugin shows that the password is required, the implementation of the twoFactor plugin assumes all users have password and try to validate it:

const isPasswordValid = await validatePassword(ctx, {
  password,
  userId: user.id
});
if (!isPasswordValid) {
  throw new APIError("BAD_REQUEST", {
    message: BASE_ERROR_CODES.INVALID_PASSWORD
  });
}

But this isn't the case when users sign in with SIWE, they do not have passwords, so the above implementation prevents users that used SIWE to activate 2FA.

What version of Better Auth are you using?

1.3.7

System info

System:
    OS: macOS 15.6
    CPU: (10) arm64 Apple M1 Pro
    Memory: 120.78 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Browsers:
    Chrome: 133.0.6943.142
    Safari: 18.6

Which area(s) are affected? (Select all that apply)

Backend, Client, Package

Auth config (if applicable)


Additional context

No response

Originally created by @ibrunotome on GitHub (Aug 21, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4114 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce 1. Configure SIWE plugin, sign in. 2. Configure twoFactor plugin. ### Current vs. Expected behavior The docs for twoFactor plugin shows that the password is required, the implementation of the twoFactor plugin assumes all users have password and try to validate it: ```js const isPasswordValid = await validatePassword(ctx, { password, userId: user.id }); if (!isPasswordValid) { throw new APIError("BAD_REQUEST", { message: BASE_ERROR_CODES.INVALID_PASSWORD }); } ``` But this isn't the case when users sign in with SIWE, they do not have passwords, so the above implementation prevents users that used SIWE to activate 2FA. ### What version of Better Auth are you using? 1.3.7 ### System info ```bash System: OS: macOS 15.6 CPU: (10) arm64 Apple M1 Pro Memory: 120.78 MB / 16.00 GB Shell: 5.9 - /bin/zsh Browsers: Chrome: 133.0.6943.142 Safari: 18.6 ``` ### Which area(s) are affected? (Select all that apply) Backend, Client, Package ### Auth config (if applicable) ```typescript ``` ### Additional context _No response_
GiteaMirror added the lockedbug labels 2026-04-13 05:35:20 -05:00
Author
Owner

@dosubot[bot] commented on GitHub (Aug 21, 2025):

Hi @ibrunotome! I'm Dosu and I’m helping the better-auth team.

You're correct—Better Auth's twoFactor plugin strictly requires password validation to enable or disable 2FA, which blocks SIWE users since they don't have passwords. There is no built-in workaround or config option in v1.3.7 to bypass this requirement for passwordless users like SIWE or social login accounts. This limitation is confirmed in the codebase and documentation, and has been discussed in detail by other users and maintainers (source, source).

Community suggestions include patching or extending the twoFactor plugin to support alternative verification methods (for example, sending an email OTP to the user's verified email instead of requiring a password). This would involve adding conditional logic to the plugin so that passwordless users can verify their identity via email or another factor when enabling/disabling 2FA (discussion). There are no recent merged PRs or official guides for this workaround, so it requires a custom implementation.

If you need SIWE + 2FA support, the only current path is to fork or extend the twoFactor plugin to add an alternative verification flow for passwordless users. If you want a high-level example or guidance on how to approach this, let me know!

To reply, just mention @dosu.


How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3208566587 --> @dosubot[bot] commented on GitHub (Aug 21, 2025): <!-- Greeting --> Hi @ibrunotome! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> You're correct—Better Auth's twoFactor plugin strictly requires password validation to enable or disable 2FA, which blocks SIWE users since they don't have passwords. There is no built-in workaround or config option in v1.3.7 to bypass this requirement for passwordless users like SIWE or social login accounts. This limitation is confirmed in the codebase and documentation, and has been discussed in detail by other users and maintainers ([source](https://github.com/better-auth/better-auth/issues/1279), [source](https://github.com/better-auth/better-auth/blob/4472f679f09697d6743470cb58c4d4ee32eaa5f0/packages/better-auth/src/plugins/two-factor/index.ts)). Community suggestions include patching or extending the twoFactor plugin to support alternative verification methods (for example, sending an email OTP to the user's verified email instead of requiring a password). This would involve adding conditional logic to the plugin so that passwordless users can verify their identity via email or another factor when enabling/disabling 2FA ([discussion](https://github.com/better-auth/better-auth/issues/1279)). There are no recent merged PRs or official guides for this workaround, so it requires a custom implementation. If you need SIWE + 2FA support, the only current path is to fork or extend the twoFactor plugin to add an alternative verification flow for passwordless users. If you want a high-level example or guidance on how to approach this, let me know! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/df7bc60d-f47e-4e69-9918-b33e495ead5a?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4114)
Author
Owner

@ping-maxwell commented on GitHub (Aug 23, 2025):

Hey, the only recommendation I have is to use the set-password endpoint, but if you don't want users to have passwords then you'll have to wait until we support 2FA changing the authentication requirement based on the users primary auth method that will be developed in the future

<!-- gh-comment-id:3217289811 --> @ping-maxwell commented on GitHub (Aug 23, 2025): Hey, the only recommendation I have is to use the [set-password](https://www.better-auth.com/docs/concepts/users-accounts#set-password) endpoint, but if you don't want users to have passwords then you'll have to wait until we support 2FA changing the authentication requirement based on the users primary auth method that will be developed in the future
Author
Owner

@dosubot[bot] commented on GitHub (Nov 22, 2025):

Hi, @ibrunotome. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You reported that the twoFactor plugin in Better Auth v1.3.7 requires a password for 2FA validation, which conflicts with SIWE users who do not have passwords.
  • It was confirmed that no built-in workaround currently exists for passwordless 2FA validation.
  • A temporary workaround using the set-password endpoint was recommended by the maintainer.
  • Native support for 2FA without passwords is planned for future development.

Next Steps:

  • Please let me know if this issue is still relevant with the latest version of better-auth by commenting here.
  • If I do not hear back within 7 days, I will automatically close this issue.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3566844591 --> @dosubot[bot] commented on GitHub (Nov 22, 2025): Hi, @ibrunotome. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You reported that the twoFactor plugin in Better Auth v1.3.7 requires a password for 2FA validation, which conflicts with SIWE users who do not have passwords. - It was confirmed that no built-in workaround currently exists for passwordless 2FA validation. - A temporary workaround using the set-password endpoint was recommended by the maintainer. - Native support for 2FA without passwords is planned for future development. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here. - If I do not hear back within 7 days, I will automatically close this issue. Thank you for your understanding and contribution!
Author
Owner

@ibrunotome commented on GitHub (Nov 22, 2025):

Still relevant.

<!-- gh-comment-id:3566854414 --> @ibrunotome commented on GitHub (Nov 22, 2025): Still relevant.
Author
Owner

@dosubot[bot] commented on GitHub (Feb 21, 2026):

Hi, @ibrunotome. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • The twoFactor plugin in Better Auth v1.3.7 requires a password for 2FA validation, which conflicts with passwordless SIWE users.
  • A suggested workaround was to use the set-password endpoint, but this is not an ideal native solution.
  • Native support for passwordless 2FA is planned but not yet implemented.
  • You confirmed that this issue is still relevant to your use case.
  • The issue remains open, awaiting further updates or implementation.

Next Steps:

  • Please confirm if this issue is still relevant with the latest version of better-auth by commenting here.
  • If no further activity occurs, I will automatically close this issue in 7 days.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3939032001 --> @dosubot[bot] commented on GitHub (Feb 21, 2026): Hi, @ibrunotome. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - The twoFactor plugin in Better Auth v1.3.7 requires a password for 2FA validation, which conflicts with passwordless SIWE users. - A suggested workaround was to use the set-password endpoint, but this is not an ideal native solution. - Native support for passwordless 2FA is planned but not yet implemented. - You confirmed that this issue is still relevant to your use case. - The issue remains open, awaiting further updates or implementation. **Next Steps:** - Please confirm if this issue is still relevant with the latest version of better-auth by commenting here. - If no further activity occurs, I will automatically close this issue in 7 days. Thank you for your understanding and contribution!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#9835