two-factor-authentication-best-practices

by better-auth

two-factor-authentication-best-practices for Better Auth: install the twoFactor plugin, add client redirects, run migrations, verify schema, and implement TOTP, backup codes, trusted devices, and 2FA sign-in flows for Access Control.

Stars163

Favorites0

Comments0

AddedMar 30, 2026

CategoryAccess Control

Install Command

npx skills add better-auth/skills --skill two-factor-authentication-best-practices

Curation Score

This skill scores 78/100, which means it is a solid directory listing candidate: agents get a clear Better Auth-specific trigger, concrete setup steps, and usable API examples for implementing 2FA without starting from a generic MFA prompt. It is not top-tier because the repository evidence shows strong documentation in a single SKILL.md, but little supporting material such as install metadata, rules, or fuller workflow/constraint guidance.

78/100

Strengths

Strong triggerability: the description clearly targets MFA/2FA use cases in Better Auth, including TOTP, OTP, backup codes, trusted devices, and sign-in flows.
Operationally useful setup: it names required server and client plugins, migration step, and a concrete verification check for the `twoFactorSecret` column.
Real implementation leverage: code examples show server config, client config, redirect handling, and enabling 2FA with returned `totpURI` and backup codes.

Cautions

Support depth is limited to one markdown file with no scripts, references, or install command, so agents may still need to infer some execution details.
Structural signals show weak explicit workflow/constraint coverage, which may leave edge cases and sequencing less explicit than ideal.

Better Auth Auth Mfa Totp Two Factor Authentication Password Email Security

Overview

Overview of two-factor-authentication-best-practices skill

The two-factor-authentication-best-practices skill is a focused implementation guide for adding 2FA to a Better Auth setup, not a generic MFA explainer. It is best for developers who already use Better Auth and need working, low-guesswork guidance for TOTP apps, OTP delivery, backup codes, trusted-device handling, and the sign-in flow changes required by the twoFactor plugin.

What this skill helps you do

Use this skill when your real job is to ship a secure, working 2FA flow for Access Control with Better Auth: install the plugin, wire server and client pieces correctly, run migrations, and handle the user journey from setup through verification and recovery.

Best-fit users

This skill is a strong fit for:

Better Auth users adding MFA to an existing app
Teams that need practical two-factor-authentication-best-practices, not theory
Developers implementing login hardening with TOTP first, then fallback paths like backup codes or OTP delivery

What makes it different from a generic prompt

A normal prompt may describe MFA concepts. This skill is more useful when you need Better Auth-specific usage details:

server plugin setup with twoFactor()
client plugin setup with twoFactorClient()
migration and schema verification
enable flow behavior, including when 2FA becomes fully enabled
redirect handling during sign-in

What to know before installing

This skill is narrow by design. It assumes Better Auth is already in your stack. If you need vendor-neutral authentication architecture, compliance policy writing, or a comparison of MFA products, this is not the right starting point.

How to Use two-factor-authentication-best-practices skill

Install context for this skill

This skill lives in the better-auth/skills repository under better-auth/twoFactor. Because the repository evidence shows only a SKILL.md file and no helper scripts or references, expect the value to come from direct implementation guidance rather than automation.

If your environment uses a skill loader, install from the repo and target the twoFactor skill. If you are reading manually, open:

better-auth/twoFactor/SKILL.md

Read this file first

Start with SKILL.md before touching your app code. For this skill, that file contains the key decisions users care about most:

server setup
client setup
migration step
enable flow
TOTP verification behavior

This is a rare case where reading the single source file first is enough to decide fit quickly.

The minimum inputs the skill needs

To get useful output from the two-factor-authentication-best-practices skill, provide:

your Better Auth server config file path
your Better Auth client config file path
whether you want TOTP only or TOTP plus email/SMS OTP
your user table and migration status
your desired UX for setup, challenge, backup codes, and trusted devices

Without those details, the result tends to stay too generic.

Core setup path

The practical setup path shown by the skill is:

Add twoFactor() to the Better Auth server config
Set an issuer
Add twoFactorClient() to the client config
Run npx @better-auth/cli migrate
Verify your user table contains the expected 2FA secret column

That migration check matters because many failed installs are really schema mismatches, not plugin issues.

Server-side example to anchor your implementation

The skill centers server setup like this:

import { betterAuth } from "better-auth";
import { twoFactor } from "better-auth/plugins";

export const auth = betterAuth({
  appName: "My App",
  plugins: [
    twoFactor({
      issuer: "My App",
    }),
  ],
});

In practice, the important input is the issuer, because that affects authenticator app display and user trust during setup.

Client-side example and redirect handling

The client flow matters just as much as plugin install:

import { createAuthClient } from "better-auth/client";
import { twoFactorClient } from "better-auth/client/plugins";

export const authClient = createAuthClient({
  plugins: [
    twoFactorClient({
      onTwoFactorRedirect() {
        window.location.href = "/2fa";
      },
    }),
  ],
});

For two-factor-authentication-best-practices for Access Control, do not treat redirect handling as optional polish. It is part of the authentication flow. Decide early where your challenge screen lives and what state it needs.

How to prompt the skill well

A weak request:

"Help me add 2FA"

A strong request:

"I use Better Auth in a React app. My server config is in src/lib/auth.ts and my client auth setup is in src/lib/auth-client.ts. I want TOTP with backup codes, a /settings/security enrollment page, a /2fa challenge route, and a migration checklist. Show exact code changes and call out anything that can break the flow."

The stronger version gives the skill enough context to produce implementation-ready output instead of broad advice.

How to turn a rough goal into a complete prompt

Use this pattern for better two-factor-authentication-best-practices usage:

current stack: framework, Better Auth file locations
desired factors: TOTP, email OTP, SMS OTP, backup codes
UX points: enrollment page, challenge route, recovery flow
security rules: password verification, trusted devices, session behavior
output format: patch, checklist, code snippets, or review notes

Example:

Apply two-factor-authentication-best-practices to my Better Auth setup.
Server file: `server/auth.ts`
Client file: `web/auth-client.ts`
Need: TOTP enrollment, backup codes, trusted-device option, redirect to `/auth/2fa`
Also include migration verification and note when `twoFactorEnabled` becomes true.

Workflow that reduces mistakes

A reliable workflow is:

Confirm Better Auth is already working without 2FA
Add server plugin
Add client plugin and redirect handling
Run migration
Verify schema changes
Implement enrollment UI
Test first verification
Add backup code display and storage UX
Test sign-in challenge and recovery paths

This order matters because UI work done before migration and flow wiring often hides the real breakpoints.

Important behavior many teams miss

The skill notes a critical detail: twoFactorEnabled does not become true until the first TOTP verification succeeds. That affects:

onboarding logic
UI state after enrollment begins
audit logging
support expectations when users scan a QR code but never complete verification

This is exactly the kind of implementation detail that makes the skill more useful than a generic MFA prompt.

What this skill does not automate

There are no bundled scripts, rules, or support files in the repository path for this skill. So treat it as a high-signal guide, not a turnkey installer. You still need to:

adapt code to your framework
build the QR code UI
decide how backup codes are shown and acknowledged
test trusted-device and recovery behavior in your own app

two-factor-authentication-best-practices skill FAQ

Is this skill only for Better Auth?

Yes. This two-factor-authentication-best-practices guide is specifically about Better Auth's twoFactor plugin and related client plugin usage. If you are on Auth.js, Firebase Auth, Cognito, or a custom auth stack, use a different resource.

Is this good for beginners?

It is beginner-friendly only if you already have a working Better Auth installation. It is not a full introduction to authentication, databases, or migration workflows.

Does it cover TOTP only?

No. The skill description also points to OTP over email/SMS, backup codes, trusted devices, and sign-in flow handling. But the visible setup examples strongly emphasize TOTP, so expect TOTP to be the clearest path.

When should I not use this skill?

Skip this skill if:

you are not using Better Auth
you need a product comparison, not implementation help
you want broad two-factor-authentication-best-practices policy guidance without code
you need WebAuthn or passkeys as the main factor instead of Better Auth's 2FA plugin flow

Is this better than asking an AI model directly?

For Better Auth-specific 2FA work, usually yes. A generic model may suggest MFA patterns that do not match Better Auth's plugin APIs or activation behavior. This skill narrows the solution space to the right primitives.

Does it help with Access Control design?

Yes, within scope. The two-factor-authentication-best-practices for Access Control angle is strongest when you need to enforce step-up security around sign-in and account protection. It is less useful for broader authorization models like RBAC or ABAC.

How to Improve two-factor-authentication-best-practices skill

Give your actual file paths and current code shape

The fastest way to improve output quality is to provide the current server and client auth files. That lets the skill produce edits that match your import structure, plugin array shape, and routing patterns.

Specify the factor and recovery policy up front

Say exactly which flows you want:

TOTP only
TOTP plus backup codes
TOTP plus email/SMS fallback
trusted-device support
password re-verification before enrollment

These choices materially change the output. If you omit them, the skill has to guess.

Ask for migration and verification steps explicitly

A common failure mode is getting code snippets without the operational checks. Request:

migration command
schema verification step
expected column presence
test cases for enrollment and sign-in challenge

That makes the two-factor-authentication-best-practices install process safer.

Ask the skill to separate setup from UX

Request output in sections:

plugin installation
schema changes
enrollment UI
challenge flow
backup/recovery handling
test checklist

This prevents mixed answers where code, routing, and policy advice are blended together.

Watch for these common failure modes

Most bad outcomes come from:

forgetting the client plugin
missing redirect logic
not running migration
assuming 2FA is enabled before first verification
implementing QR display without backup code handling
treating trusted devices as a UI-only feature

If you see one of these gaps in the first answer, ask for a corrected flow review.

Iterate after the first draft

After the skill gives you an implementation plan, improve it by asking:

"What edge cases are missing?"
"Review this flow for lockout risk."
"Add test scenarios for failed TOTP, backup code use, and device trust."
"Rewrite this for my exact route structure."

That second pass is often where the skill becomes genuinely deployment-ready.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

azure-identity-py

by microsoft

azure-identity-py helps set up Azure authentication in Python with Microsoft Entra ID. Use it to choose DefaultAzureCredential, managed identity, or service principal auth, configure environment variables, and troubleshoot access control and credential chain issues. Install guidance, usage patterns, and practical setup notes are based on the repo skill file.

Access Control

Favorites 0GitHub 2.2k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

detecting-anomalous-authentication-patterns

by mukul975

detecting-anomalous-authentication-patterns helps analyze authentication logs for impossible travel, brute force, password spraying, credential stuffing, and compromised-account activity. Built for Security Audit, SOC, IAM, and incident response workflows with baseline-aware detection and evidence-backed sign-in analysis.

Security Audit

Favorites 0GitHub 0

auditing-kubernetes-cluster-rbac

by mukul975

auditing-kubernetes-cluster-rbac helps audit Kubernetes RBAC for overbroad roles, risky bindings, secret access, and privilege escalation paths. It is built for security audit workflows across EKS, GKE, AKS, and self-managed clusters, with practical guidance for kubectl, rbac-tool, KubiScan, and Kubeaudit.

Security Audit

Favorites 0GitHub 0

auditing-gcp-iam-permissions

by mukul975

auditing-gcp-iam-permissions helps review Google Cloud IAM access for risky bindings, primitive roles, public access, service account exposure, and cross-project paths. This access-control audit skill is built for evidence-driven reviews with gcloud, Cloud Asset, IAM Recommender, and Policy Analyzer.

Access Control

Favorites 0GitHub 0

auditing-aws-s3-bucket-permissions

by mukul975

The auditing-aws-s3-bucket-permissions skill helps you audit AWS S3 buckets for public exposure, overly permissive ACLs, weak bucket policies, and missing encryption. Built for Security Audit workflows, it supports a repeatable least-privilege review with AWS CLI and boto3-oriented guidance, plus practical install and usage notes.

Security Audit

Favorites 0GitHub 0

configuring-microsegmentation-for-zero-trust

by mukul975

The configuring-microsegmentation-for-zero-trust skill helps design and validate least-privilege workload-to-workload policies for zero trust environments. Use this guide to segment applications, reduce lateral movement, and turn observed traffic into enforceable rules for Security Audit and operations.

Security Audit

Favorites 0GitHub 0

security-scan

by affaan-m

The security-scan skill audits your Claude Code .claude/ configuration for secrets, risky MCP setup, injection-prone instructions, dangerous bypass flags, and weak agent or hook definitions using AgentShield. Use it for repeatable security checks before committing or onboarding.

Security Audit

Favorites 0GitHub 156.3k

laravel-security

by affaan-m

The laravel-security skill is a practical Laravel security checklist for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. Use it for audits, feature reviews, and hardening work in Laravel apps.

Security Audit

Favorites 0GitHub 156.2k

git-guardrails-claude-code

by mattpocock

git-guardrails-claude-code adds a PreToolUse hook to block dangerous git commands before Claude Code runs them. Install it to prevent destructive pushes, hard resets, forced cleans, and branch deletes, with scoped control for this project or all projects. Useful when you need git-guardrails-claude-code for Access Control boundaries in Claude Code.

Access Control

Favorites 0GitHub 66k

k8s-security-policies

by wshobson

k8s-security-policies helps teams draft Kubernetes NetworkPolicy, Pod Security Standards labels, and RBAC patterns using repo-backed templates and references for hardening and audit-ready rollout planning.

Security Audit

Favorites 0GitHub 32.6k

auth-implementation-patterns

by wshobson

auth-implementation-patterns is a practical skill for designing and implementing authentication and authorization patterns, including sessions, JWT, OAuth2/OIDC, RBAC, and access control checks for APIs and apps.

Access Control

Favorites 0GitHub 32.6k

security-and-hardening

by addyosmani

The security-and-hardening skill helps harden application code before release. Use it for user input, auth, sessions, sensitive data, file uploads, webhooks, and external services, with concrete checks like input validation, parameterized queries, output encoding, secure cookies, HTTPS, and secrets handling.

Security Audit

Favorites 0GitHub 18.7k

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

exploiting-idor-vulnerabilities

by mukul975

exploiting-idor-vulnerabilities helps authorized security audits test Insecure Direct Object Reference flaws across APIs, web apps, and multi-tenant systems with cross-session checks, object mapping, and read/write verification.

Security Audit

Favorites 0GitHub 6.2k

detecting-azure-service-principal-abuse

by mukul975

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

Security Audit

Favorites 0GitHub 6.1k