Two-Factor Authentication

LaunchFast includes built-in two-factor authentication using TOTP (Time-based One-Time Passwords). Users can enable 2FA from their profile settings using any authenticator app.

Enabling 2FA

Users enable 2FA from the settings page at /settings/security/two-factor. The flow generates a TOTP secret, displays it as a QR code for the authenticator app, and verifies the first code before activation.

Verification window

When a user has 2FA enabled, they must re-verify their 2FA code within 2 hours of performing protected actions. These include:

• Changing their email address
• Disabling 2FA
• Other destructive account actions

The shouldRequestTwoFA utility

The shouldRequestTwoFA utility in app/routes/_auth+/login.server.ts determines whether a user needs to provide their 2FA code. It checks whether the user has 2FA enabled and whether they have verified within the 2-hour window.

Use this utility to protect any action that should require recent 2FA verification.