OpenClaw LaunchOpenClaw Launch
📲

Two-Factor Auth Guide

Verified

by Community

Guides implementation of 2FA/MFA systems covering TOTP, WebAuthn/passkeys, SMS backup, recovery codes, and user experience design for authentication flows.

security2FAMFAauthenticationTOTPpasskeys

Two-Factor Auth Guide

Implement and manage two-factor authentication correctly for both users and developers. Covers TOTP apps, hardware keys, passkeys, recovery flows, and the UX of secure authentication.

Usage

Specify whether you're implementing 2FA in an application or setting it up for personal accounts. The guide provides implementation details for developers or setup instructions for users.

Parameters

  • Role: Developer implementing 2FA, or User setting up personal 2FA
  • Method: TOTP (authenticator app), WebAuthn/Passkey, SMS, or Email
  • Platform: Web application, Mobile app, or Personal accounts
  • Priority: Security-first or User experience balance

Examples

  1. Developer TOTP Implementation: Complete guide for adding TOTP-based 2FA to a web application — QR code generation, secret storage, verification logic, backup codes, and account recovery flows.
  1. Personal Account Lockdown: Set up 2FA on the 10 most critical personal accounts (email, banking, social) with authenticator app recommendations, backup strategy, and hardware key setup.
  1. WebAuthn/Passkey Integration: Implement passwordless authentication using WebAuthn — credential creation, assertion verification, cross-device flows, and platform authenticator detection.
  1. Enterprise MFA Rollout: Plan for deploying MFA across an organization — phased rollout, user communication, help desk training, and exception handling for non-compliant devices.

Guidelines

  • TOTP is recommended over SMS due to SIM-swap and interception vulnerabilities
  • WebAuthn/passkeys are recommended as the most phishing-resistant option available
  • Recovery codes are generated, displayed once, and stored securely by the user
  • Account recovery procedures balance security with preventing permanent lockout
  • QR code enrollment includes manual entry option for accessibility
  • Rate limiting on verification attempts prevents brute-force attacks on 6-digit codes
  • Time window tolerance handles clock skew (typically +/- 1 period for TOTP)
  • Backup methods are required — single-method 2FA causes lockout emergencies
  • User experience research shows enrollment completion rates for different flows
  • Hardware security keys (YubiKey) are recommended for high-value accounts

More Security Skills

shield
1Claw

HSM-backed vault for agent secrets; store, rotate, share securely.

shield
1Password

Set up and use 1Password CLI (op).

shield
Auditing Appstore Readiness

Audit an iOS app repo.

shield
Authensor Gateway

Fail-safe policy gate for OpenClaw marketplace skills.