TOTP authentication strategy for Passport.


Passport strategy for two-factor authentication using a TOTP value.

This module lets you authenticate using a TOTP value in your Node.js applications. By plugging into Passport, TOTP two-factor authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express. TOTP values can be generated by hardware devices or software applications, including Google Authenticator.

Note that in contrast to most Passport strategies, TOTP authentication requires that a user already be authenticated using an initial factor. Requirements regarding when to require a second factor are a matter of application-level policy, and outside the scope of both Passport and this strategy.

$ npm install passport-totp

The TOTP authentication strategy authenticates a user using a TOTP value generated by a hardware device or software application (known as a token). The strategy requires a setup callback.

The setup callback accepts a previously authenticated user and calls done providing a key and period used to verify the HOTP value. Authentication fails if the value is not verified.

passport.use(new TotpStrategy(
  function(user, done) {
    TotpKey.findOne({ userId: }, function (err, key) {
      if (err) { return done(err); }
      return done(null, key.key, key.period);

Use passport.authenticate(), specifying the 'totp' strategy, to authenticate requests.

For example, as route middleware in an Express application:'/verify-otp', 
  passport.authenticate('totp', { failureRedirect: '/verify-otp' }),
  function(req, res) {
    req.session.authFactors = [ 'totp' ];

For a complete, working example, refer to the two-factor example.

$ npm install
$ make test

The MIT License

Copyright (c) 2013 Jared Hanson <>