Back to blog

Announcing 2FA: Enhance your application's security.

Improve your application's security by adding an additional layer of protection.

At Appwrite, our mission is to eliminate technical barriers. A key part of this mission is making your applications more secure. With Appwrite 1.5, we’re excited to announce that we are adding support for Two-Factor Authentication (2FA) to Appwrite Authentication, providing an extra layer of security for your end users' accounts.

Introducing Appwrite 2FA

Appwrite 2FA helps increase the security of your apps by adding an additional layer of protection after the regular authentication process. When 2FA is enabled, a malicious actor must compromise multiple authentication factors to gain unauthorized access. This offers a number of benefits:

  • Increased account security: Adds a critical second verification step, significantly reducing the risk of unauthorized access.

  • Mitigation of data breach risks: In today's digital age, where data breaches are increasingly common, 2FA acts as a formidable barrier against unauthorized access, protecting sensitive user information.

  • Compliance with security regulations: 2FA helps adhere to strict security standards and regulations, safeguarding not just user data but also ensuring that your application meets industry-specific legal requirements.

  • Trust and integrity: By implementing 2FA, you signal to your users a strong commitment to protecting their data, thereby building trust and maintaining the integrity of your application.

Methods available for 2FA

Currently, Appwrite offers three methods for implementing the second factor:

MethodDescription
Time-based one-time passwords (TOTP)This method allows a user to leverage common authenticator apps like Google Authenticator or Twilio Authy that provide a TOTP for authentication.
EmailsThis method sends a one-time password (6-digit code) to the user’s email address for authentication.
SMSThis method sends a one-time password (6-digit code) to the user’s phone number for authentication.

Implementing 2FA in your apps

One great aspect of Appwrite 2FA is that it can be used in conjunction with any existing authentication method you have implemented using Appwrite Auth. You can implement 2FA in your application via the following several steps.

Step 1: Enable 2FA on an account

To use 2FA, it needs to be enabled on a user’s account. This can be achieved by calling account.updateMFA().

Web
import { Client, Account } from "appwrite";

// Init SDK
const client = new Client();

client
    .setEndpoint('https://cloud.appwrite.io/v1') // Your API Endpoint
    .setProject('<PROJECT_ID>'); // Your project ID

const account = new Account(client);

// Include any account creation/management steps

const mfa = await account.updateMFA(true); // Enables 2FA

Note: You will need to have added more than 1 factor of authentication to an account before the MFA is enforced.

Step 2: Initialize login and check for multiple factors

Begin your login flow with the default authentication method used by your app (for example, email password).

JavaScript
const user = await account.createEmailPasswordSession(
    'email@example.com',   // email
    'password'             // password
);

Upon successful login in the first authentication step, check the status of the login by calling account.get(). If you receive the error user_more_factors_required, redirect to perform the second factor.

JavaScript
try {
    const response = await account.get();
} catch (error) {
    if (error.type === `user_more_factors_required`){
        // redirect to perform 2FA
    }
    else {
        // handle other errors
    }
}

Step 3: Check enabled factors

To confirm which providers are enabled for an account, you can call account.listProviders().

JavaScript
const factors = await account.listFactors();

console.log(factors);

The returned object will be formatted as follows:

JavaScript
{
    totp: true, // time-based one-time password
    email: false, // email
    phone: true // phone
}

Step 4: Create challenge

Based on the enabled providers, you can initialize the additional auth step. Calling these methods will send a challenge to the user. Ensure you save the challenge ID to complete the challenge in a later step.

JavaScript
const challenge = await account.createChallenge(
    'phone'   // factor
);

// Save the challenge ID to complete the challenge later
const challengeId = challenge.$id;

Step 5: Complete challenge

Once the user receives the challenge code, you can pass the code back to Appwrite to complete the challenge.

JavaScript
const challenge = await account.updateChallenge(
    '<CHALLENGE_ID>',   // challengeId
    '<OTP>'             // otp
);

And just like that, you have implemented 2FA using Appwrite!

While Appwrite currently allows two factors of authentication, we intend to make more factors available soon.

Resources

Visit our documentation to learn more about Appwrite, join us on Discord to be part of the discussion, view our blog and YouTube channel, or visit our GitHub repository to see our open-source code.

2FA will be available as part of the Appwrite 1.5 release on GitHub and Cloud in March 2024.

Subscribe to our newsletter

Sign up to our company blog and get the latest insights from Appwrite. Learn more about engineering, product design, building community, and tips & tricks for using Appwrite.