TOTP Verification

LaunchFast uses @epic-web/totp (Time-based One-Time Passwords) as the foundation for all verification flows. TOTP secrets are stored in a verification model in the Prisma schema.

Verification model

The verification model stores TOTP secrets and metadata for all verification use cases. This single model handles both temporary codes (emailed to users) and persistent secrets (for 2FA authenticator apps).

Use cases

• Onboarding — email verification during signup
• Forgot password — verifying ownership before password reset
• Email change — confirming the new email address
• Two-factor authentication — persistent TOTP secrets for authenticator apps

Temporary vs persistent codes

Temporary codes are generated, emailed to the user, and expire after use. They verify ownership of an email address.

Persistent codes are stored and used with authenticator apps for two-factor authentication. They do not expire until the user disables 2FA.