0.0.1 • Public • Published


    Build Status

    Passport strategy for Two-factor authenticating with a username, password and TOTP code.

    This module lets you authenticate using a username, password and TOTP code in your Node.js applications. By plugging into Passport, 2FA TOTP authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express. You can use any TOTP code generators to generate one-time passwords, for example Google Authenticator.


    $ npm install passport-2fa-totp


    Configure Strategy

    The 2FA TOTP authentication strategy authenticates a user using a username, password and TOTP value generated by a hardware device or software application (known as a token). The strategy requires a callback to verify a username and password and a callback to setup TOTP generator.

    var GoogleAuthenticator = require('passport-2fa-totp').GoogeAuthenticator;
    var TwoFAStartegy = require('passport-2fa-totp').Strategy;
    passport.use(new TwoFAStartegy(function (username, password, done) {
        // 1st step verification: username and password
        User.findOne({ username: username }, function (err, user) {
            if (err) { return done(err); }
            if (!user) { return done(null, false); }
            if (!user.verifyPassword(password)) { return done(null, false); }
            return done(null, user);
    }, function (user, done) {
        // 2nd step verification: TOTP code from Google Authenticator
        if (!user.secret) {
            done(new Error("Google Authenticator is not setup yet."));
        } else {
            // Google Authenticator uses 30 seconds key period
            var secret = GoogleAuthenticator.decodeSecret(user.secret);
            done(null, secret, 30);

    GoogleAuthenticator object provides utility methods for Google Authenticator

    GoogleAuthenticator.register(username) - Generate a secret key and render a QR code (SVG) to register an account in Google Authenticator.

    GoogleAuthenticator.decodeSecret(secret) - Convert BASE 32 encoded string to byte array.

    Available Options

    This strategy takes an optional options hash before the function, e.g. new TwoFAStartegy({/* options */, verifyUsernameAndPasswordCallback, verifyTotpCodeCallback}).

    The available options are:

    • usernameField - Optional, defaults to 'username'
    • passwordField - Optional, defaults to 'password'
    • codeField - Optional, defaults to 'code'
    • window - Optional defaults to 6. A window to generate TOTP code.
    • skipTotpVerification - Optional defaults to false. TOTP code verification is skipped if it is set to be true.
    • passReqToCallback - Optional defaults to false. Pass request object to the callbacks if it is set to be true.

    Authenticate Requests

    Use passport.authenticate(), specifying the '2fa-totp' strategy, to authenticate requests.'/', passport.authenticate('2fa-totp', {
        successRedirect: '/',
        failureRedirect: '/login'


    Developers using the popular Express web framework can refer to an node-2fa as a starting point for their own web applications.


    $ npm install
    $ npm test


    npm i passport-2fa-totp

    DownloadsWeekly Downloads






    Last publish


    • ilich